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1 INTRODUCTION 


This edition of the OneOS Book corresponds to the V4.3R4E21 and V5.1R3E1 software releases of 
OneOS. It is also available for all previous software releases of OneOS according to the features matrix 
described hereafter. 


The OneOS software developed for use with the ONE product range offers an extensive range of features 


designed to provide a complete & highly powerful range of multi-service access routers: 


e = Full IP router with NAPT, Security, and Quality of Service management 


e Support of voice for analog and ISDN SO/TO terminals using Voice over IP and Voice over ATM 
e —_Interworking of data protocols (FR, X.25, PAD, XOT, X.31) 
e Advanced management tools based on CLI (Command Line Interface), SNMP, FTP/TFTP 


This document is the OneOS user guide for admin functions of the OneOS-based range products. 


Seven other user guides and two global indexes are available: 


O° 


° 


O° 


OneOS - Bridging & LAN User Guide 

OneOS - Basic IP User Guide 

OneOS — Advanced IP User Guide 

OneOS — WAN User Guide 

OneOS — VoIP User Guide 

OneOS — VoATM & CES User Guide 

OneOS — IBC User Guide 

Index of OneOS User Guides (global table of contents) 

Index of CLI of OneOS User Guides (global list of CLI commands) 
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FEATURE MATRIX 


The following table is a resource providing edition by edition the released features. The table was done as 
of the V3.5R2E3 release. For simplification, the indicated software release shows the presence of a 
feature in a given software release starting with V3.5R2E3. It should be noted that most features were 
available in earlier versions. 

























































































Main Function | Feature Present at least in: 
File system Checking downloaded SW and boot integrity V3.5R2E3 
Dual SW image boot V3.5R2E3 
File transfer via FTP client V3.5R2E3 
File transfer via TFTP client V3.5R2E3 
TFTP server for file uploading V4.1R5E6 
Download and extract a TAR archive in file system V3.7R11E14 
HTTP client over IPv6 V5.1R2E5 
General Command output filtering with the ‘|’ command V3.5R2E3 
management | Command for checking integrity of a downloaded boot or V3.5R2E3 
functions software image 
Password recovery V3.5R2E3 
Delayed reboot V3.5R2E3 
Restore factory settings command V3.5R2E3 
Banner (before/after logging in) up to 230 characters V3.5R2E3 
Banner (before/after logging in) up to 9200 characters V4.3R2E2 
Global statistics screen V3.5R2E3 
CPU load statistics V4.2R5E6 
show ip interface brief command V3.5R2E3 
Logging to a syslog server V3.5R2E3 
Blacklist management (console, tshell, telnet, SSH, web) V4.2R5E2 
Date/Time Manual date/time setting V3.5R2E3 
Clock offset based on time zone and summer time V3.5R2E3 
Synchronization with an NTP server (broadcast mode or V3.5R2E3 
not) 
Setting of SNTP source address (in non-broadcast mode) V3.5R2E3 
SNTP server V4.2R3E6 
IPv6 SNTP client V5.1R2E5 
Configuration | Check SIP gateway registration to trigger configuration V3.7R10E3 
Recovery recovery 
Check ping status to trigger configuration recovery V3.7R10E3 
SNMP Version 1, version 2C V3.5R2E3 
Multiple read-write communities V3.5R2E3 
Restricting SNMP access via access-lists V3.5R2E3 
Setting of SNMP source address V3.5R2E3 
SNMP v3: DES/3DES/no encryption, SHA/MD5 V3.5R2E3 
authentication 
SNMP views V3.5R2E3 
SNMP informs (acknowledged traps in SNMP v3) V3.5R2E3 
Configuration of SNMP chassis-id, contact and location V3.5R2E3 
SNMP MIBs: please check OneOS software release notes V5.1R2E5 
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Main Function | Feature Present at least in: 
Traces and Event function (logging of state changes) to a syslog server, V3.5R2E3 
logging SNMP traps, console/file logging 
Logging of configuration history V3.5R2E3 
Trace and debug function (logs: buffered, syslog, console, V3.5R2E3 
file) 
Ping/traceroute | Ping with source address setting V3.5R2E3 
Extended ping V3.5R2E3 
Ping for IPv6 V5.1R2E5 
Traceroute with source address setting V3.5R2E3 
Traceroute for IPv6 V.5.1R2E5 
Telnet Telnet client. Configurable port and source address V3.5R2E3 
Clear session of another user V3.5R2E3 
Setting up an access-list to restrict access to the embedded V3.5R2E3 
server 
Telnet client over IPv6 V5.1R2E5 
Telnet server: configurable timeout, attachment to one or V3.5R2E3 
more interface and telnet server access restriction by an 
ACL 
Telnet server over IPv6 V5.1R2E5 
SSH SSH server version 2 V3.5R2E3 
Configurable DSA signature length V3.5R2E3 
Enabling/disabling the SSH server V3.5R2E3 
Attaching the SSH server to one or more interfaces V3.5R2E3 
Attaching the SSH server to an ACL for access restriction V3.5R2E3 
SSH remote "exec telnet" command V4.2R5E15 
SSH local port forwarding V4.3R2E2 
Web Configurator] HTTP server V3.5R2E3 
HTTPS server V4.2R2E2 
Web downloading/uploading restriction V4.2R2E2 
HTTP proxy V4.2R3E6 
HTTPS certificate management V4.2R4E2 
Packet capturing | Filter and log packets of an interface V3.5R2E3 
Saved captured packets in a pcap file V3.5R2E3 
Capture of 802.11 frames V4.2R3E6 
AAA, Local user | Configuration of local users V3.5R2E3 
database and | Support of 15 privilege levels V3.5R4E3 
pole Daved CO Modification of default command privilege level (‘privilege’ V3.5R2E3 
commana) 
RADIUS based user authentication V3.5R2E3 
RADIUS over IPv6 V5.1R2E5 
TACACS+ based user authentication V3.5R2E3 
Command authorization via TACACS+ servers V3.5R2E3 
TACACS+ accounting (start-stop signal for commands, V3.5R4E3 
stop-only signal for exec session) 
TACACS+ over IPv6 V5.1R2E5 
Certificates Show certificates V4.2R5E2 
Public Key Infrastructure (PKI) V4.2R5E6 
Self-signed HTTPS server certificate V4.2R5E6 
Certificate signing request V4.2R5E6 
Certificate import V4.2R5E6 
Use of a trust-point for revocation checking V4.3R3E2 
Performance | ICMP echo probe: measuring RTT and packet loss V3.5R2E3 
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Main Function | Feature Present at least in: 
Measurement | ICMP echo configuration via CLI or SNMP V3.5R2E3 
ga Path echo probe (configuration by CLI and SNMP) V3.5R2E3 

Path jitter probe (configuration by CLI) V3.5R2E3 
RTR responder V3.5R2E3 
History of the last measurements V3.5R2E3 
Measurement result distribution to form statistics V3.5R2E3 
Reaction triggers V3.5R2E3 

Auto-update DHCP method: Automatic software download V3.5R4E3 
DHCP method: Automatic configuration download V3.5R4E3 
Auto-update via http V3.7R11E14 

CWMP (TR-69) | Download RPC: configuration, OS, web pages V4.2R2E2 
Configuration download in add-in or overwrite mode 
Upload RPC V4.2R2E2 
Inform trigger events: periodic, boot, bootstrap, request V4.2R2E2 
download 
Reboot RPC V4.2R2E2 
Factory Reset RPC V4.2R2E2 
Get RPC Methods RPC V4.2R2E2 
Schedule Inform RPC V4.2R2E2 
TR-69 Pass-Through (TR-111) V4.2R2E2 
STUN client configuration V4.2R2E2 
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2 SYSTEM MANAGEMENT 





2.1 INTRODUCTION TO SYSTEM MANAGEMENT 


OneOS offers an embedded file system for software and configuration files. It is possible to save several 
software releases and configuration files. When the equipment is started up, the boot software reads the 
application software file (via the file system), decompresses this software image and launches the 
application software and the configuration file. 


The OneOS-based router provides interfaces for device management: 


e Console Port: Asynchronous port, used primarily for access to the Command Line Interface (CLI) for 
configuration and management, and optionally for using embedded debugging. 


e Ethernet Port: Enables connection of a PC for configuration via Telnet or the downloading/uploading 
of files with TFTP/FTP. The IP address of the port is configurable with the CLI. It is also possible to 
manage configuration or file transfers via the second Ethernet port or remotely via IP over ATM. 


2.1.1 Preliminary Instructions 


e The device configuration is not case-sensitive. 


e Keywords in commands are written in the following style keyword. Parameters, which are user- 
defined, are not bolded in the command line. 


e User-defined parameters are written inside the < > expression and are not written in bolded 
characters. Example: <ip-address>. 


e Optional instruction parts are written between the following characters [ ]. Example: [optional- 
instruction-set]. 


e When several alternatives are possible, they are written between braces. The | character is the 
separator between the alternative instruction sets provided between braces. Example: 
{ instruction-set-1 | instruction-set-2 | ... }. 


e Ranges of discrete values are provided as follows: <lowest-number..highest-number> or 
<lowest-highest>. Example: <1. .30> is the same as <1-30>. 


2.1.2 Getting Started 
The equipment is delivered with OneOS software and a default configuration file. Two methods can be 
used to enter into the configuration CLI: 


1 - Connect to the FastEthernet 10/100 port (or to Ethernet 10Base-T port of ONE400). For routers with an 
embedded switch, use the Fast Ethernet (port 0/0) on the right hand-side (port 0 on left hand-side for 
ONE60) and use a Telnet client with the following default factory settings: 


e IP address: 192.168.1.10 
e Username = admin Password = admin 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 
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2 - Connect to the console port (default factory settings): 
e Serial parameters: 9600 bps, 8 bits data, No parity, 1 Stop bit, No flow control 
e = After the reboot 


Username: admin 
Password: admin 
Chi> 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 


While entering CLI mode it is possible to read, modify or create a configuration and access the file system 
(see next paragraphs). 


The prompt (CLI in the example) can be changed using the following command: 


CLI> hostname <newname: string 1..64> 


Warning: the prompt may be truncated, depending on the context, when the hostname string gets a 
high length. 
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2.2 CONSOLE PORT SETTINGS 


2.2.1 Default Settings 


The console port is enabled and functions with the following parameters: 9600 bps, 8 bit-encoding, No 
parity check, 1 Stop bit, No flow control. 


2.2.2 Console Port Inactivity Timeout 


After an inactivity period, the user is prompted to enter its login and password again. By default, the 
timeout is 10 minutes. To configure the console timeout, the command in global configuration mode is: 


CLI (configure)> console timeout <seconds> 
To restore the default timeout, use: 


CLI (configure)> default console timeout 


2.2.3 Disabling Console Port 


For security reason, it is sometimes desirable to forbid access to the system console port. From the 
management center, we can use "telnet" or "FTP" to change the device configuration and disable the 


console port with the following command: 


CLI> console disable-input 


To re-enable the console port, use the following command (via Telnet for example): 





CLI# console enable-input 
2.2.4 Detecting Console Cable Disconnection 


Warning: this function is only available on selected devices and needs a specific console cable to 
work properly. Refer to OneAccess Customer Support for more information. 


By default, the console session is not automatically logged out when the console cable is disconnected. 


To enable automatic logging out of the console session when the console cable is disconnected, use the 
following command in global configuration mode: 


CLI (configure) > console loop-check enable 


To disable the function, use the following command in global configuration mode: 





CLI (configure) > console loop-check disable 
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2.3 FILE SYSTEM 


2.3.1 Introduction 


Two file systems are available: 


e The ramdisk file system identified by ramdisk: /, which is volatile. It is used only by the system. 


e The disk file system named as flash: /, which is permanent. It includes software and configuration 


files. 


The file systems are pre-formatted at the factory. 


The ramdisk content is erased on power on (not after a reboot). 


2.3.2 File Systems Layout 


The ramdisk contains: 


e The tmp directory for saving temporary files 


e The history-config file: a text file that contains the CLI commands used to build the current 


configuration 
The permanent disk contains: 


e ABSA directory including: 


© binaries: the sub-directory that contains execution files (i.e. OneOs) 


o config: the sub-directory that contains configuration files (i.e. bsaStart.cfg) 


o dump: the sub-directory for log and debugging purposes 


o bsaBoot.inf: a text file that contains the current location and name of the software file as 
well as the current location and name of the configuration file. 


e Events files (log messages) 


2.3.3 File System Commands 


The following CLI commands are available for the management of files and directories on the disk file 


system: 


e devs [flash | ramdisk]: 


Without parameters, the command displays the drive in use 


(flash or ramdisk). With parameters, the user can change the current device. 


e =6pwd: 


Displays the current working directory (initialized when a CLI 


session is started to the root of the current device) 


. ed <directory>: 

e mkdir <directory>: 

e 1s: 

e cat <filename>: 

e exec -echo <filename>: 
e rm <filename>: 


e rmtree <directory-path>: 


° mv <filenamel> <filename2>: 


Changes the working directory 

Creates a new directory 

Lists files and directories inside the current directory 
Lists the contents of a text file 

Executes a CLI script 

Removes a file 

Removes a directory and all files and sub-directories 


Renames a filename 
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e copy <filel> <file2>: Copies a file (Source: file1, destination: file2) 


° copy tftp://<tftp_server>/<filel> <file2> [<source-interface> <unit>]: 
Downloads a file (filel) from a TFIP server and save it under file2. Example: 
copy tftp://10.20.30.2/OneOs OneOs.new loopback 1 


e copy tftp://<tftp_server>/<filel>.tar <path> [<source-interface> <unit>]: 
Downloads a TAR file (file1) from a TFTP server and save it under target path 


e copy <filel> tftp://<tftp server>/<file2>: Uploads file! to a TFTP server and save the 
file as file2 on the server 


e copy http://<ipv4-or-name>[:<port>]/<path> <destination-file> [<source- 
interface> <unit>]: Downloads a file from an IPv4 HTTP server. If you need to 
include the "?" character in the URI, the URL must be included between quotes. Example: copy 
“http://1.2.1.1/test.cgi?var=1” myfile.txt 


e copy http://<ipv6-in-brackets>[:<port>]/<path> <destination-file> [<source- 
interface> <unit>]: Downloads a file from an IPv6 HTTP server. Warning: the HTTP 
URI is encoded with IPv6 address between brackets as explained in RFC 2732. Example: copy 
http://[2000:0234]:8080/myfile.txt file.txt 





e show device status { flash: | ramdisk }: Shows the available space in the 
flash/ramdisk disk and some miscellaneous information of file system status 

e chkdsk: Verifies if the file system is corrupted 
Examples: 

CLI> cd / 

CLI> pwd 

/ 

CLI> ls 

Listing the directory / 

BSA/ 2048 

ibc/ 2048 

CWMP2.log 615 

telnet2.log 3723 

snmpv3_engine.log 51 

telnetl.log 3612 

password 43 

CWMP1.1log 188 

CLI> cat snmpv3_engine.log 

engine = 12 8000338703000012ef417£97 


boots = 66.0.0 Atm 0.1 


Example for downloading a new software release: 
1. Read the bsaBoot.inf file to read the current location and name of the software: 


CLI> cd BSA 
CLI> cat bsaBoot .inf 


flash: /BSA/binaries/OneOs 
flash: /BSA/config/bsaStart.cfg 





2. Runa TFTP server on a PC (IP address IP = 10.10.10.1) and enter the following command: 


CLI> cd BSA/binaries 
CLI> copy OneOs OneOs. sav 
CLI> copy tftp://10.10.10.1/c:\temp\OneOs.ZZZ OneOs 


3. After the file transfer, reboot the device: 


CLI> reboot 
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2.4 GETTING ROUTER HARDWARE & SOFTWARE INFORMATION 


If you want to display details of the router hardware, please enter the following command: 


CLI> show system hardware 


To display additional details of the router hardware, please enter the following command: 


CLI> show product—info-area 


To show the current running software version: 


CLI> show version 


To show the software version of an OneOS image in flash: 


CLI> show soft-file info <path/name> 


Usually the command must be the following: 


CLI> show soft-file info /BSA/binaries/OneOs 


To show the actual configuration (the running-config) of the OneOS-based router, please enter the 
following command. 

CLI> show running-config 
This command, like all show commands, can be used with filtering parameters to limit the number of lines 
that will be displayed. 


Use the following command to display only the lines that contain word (in that case the string word must 
follow immediately the pipe character — with no space in between). 


CLI> show running-config | <word> 


Use the following forms of the command to use more filtering possibilities (in that case a space must follow 
the pipe character). 


CLI> show running-config | {begin|beginat <n>|include|exclude} <word> 


Use | begin <word> to display starting from the first line that contains word. 
Use | beginat <n> <word> to display from the first line that contains the n'" occurrence of word. 
Use | include <word> to display only the lines that contain word. 


Use | exclude <word> to display only the lines that do not contain word. 
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2.5 START-UP 


A file, bsaBoot .inf in directory BSA is used on start-up to load and execute the OneOS software and to 
run the startup configuration file. 


For example, inthe bsaBoot.inf file 2 lines are written: 
flash: /BSA/binaries/OneOs 
flash: /BSA/config/bsaStart .cfg 
The first line (OneOs) is the application software image file and the second line (bsaStart.cfg) is the 
configuration file used on start up. 
It is possible to change the content of the bsaBoot . inf file by using the following commands. 
To change in the bsaBoot . inf file the application software image file name: 


CLI> boot software image <full-pathname-OneOS> 


To change in the bsaBoot . inf file the configuration file name: 





CLI> boot configuration <full-pathname-config> 


If the startup configuration file is not present the device starts up with a default configuration. 


Note: the software image file and the configuration file can be uploaded / downloaded to and from a server 
using the file system commands depicted in 2.3. 
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2.6 CONFIGURATION OF MANAGEMENT FUNCTIONS 


The Command Line Interface enables the user to configure and to fully manage the OneOS-based router 
with an easy-to-use interface. Modifications made to the parameters are applied immediately after 
checking parameter consistency and validity. The CLI is accessed via a Telnet session (locally or 
remotely) or via the Console serial port. 


A shell/debug interface is accessible from the console interface by entering the command tshel1 on the 
CLI (after entering the shell interface, the CLI command can be used to return to the CLI). The shell/debug 
interface is outside the scope of this document and its usage is only intended for OneAccess support and 
development team. 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 


2.6.1 Starting a Telnet Session 


The configuration session is accessible via a Telnet client session from a PC (or from a UNIX station) or 
from another connected OneOS-based router (see 2.13.1 for more information) using the command: 


CLI> telnet { <ipv4-address> | <ipv6-address> | <name> [ipv4 |ipv6] } 
[<port>] [<interface> <unit>] [vrf <vrf-name>] 


Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipvé are meant to 
force name resolution in either IPv4 or IPv6. 


If the optional arguments <interface> <unit> are provided, the source address of sent Telnet packets 
will be forced to the IPv4/IPv6 address of the selected interface (depending of IP address format or DNS 
resolution). 


When first configuring the device, it is recommended to connect a PC to the 10/100base-T interface of the 
OneOS-based router (or the 10base-T interface of the ONE400) and use as target its corresponding IP 
address whose default value (factory setting) is 192.168.1.10. The user and password defined by default 
are admin and admin. (If the Telnet client is run from a PC under Microsoft Windows, it is best to select 
terminal options as "VT100 arrow"). 


By default, on the target, the Telnet server is attached to any interface with an IP address. To restrict the 
access to the target (see 2.13.2 for more information), a bind command must be entered. 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 


2.6.2 Configuration Session 


After logging in and entering a CLI session the CLI offers a similar interface as a "UNIX shell" with a 
hierarchically defined tree of commands. It offers history and command editing, i.e.: 


e  CTRL-n or upper arrow: get next command 

e CTRL-p or lower arrow: get previous command 

e CTRL-b or left arrow: move cursor left 

e = CTRL-f or right arrow: move cursor right 

e CTRL-d or delete key: delete a character 

e  ESC-b: move one word backward 
e ESC-f: move one word forward 


The configuration commands are available after entering configure terminal command that makes 
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2.6.3 


2.6.4 


2.6.5 


the CLI entering in "global configuration mode". To return to the initial CLI state, either enter exit when 
the CLI is in global configuration mode or enter end at any stage of the device configuration. 


For each command there is an associated help string using the “?” character. The “?” character can also 
be typed in a command to display command arguments. 


For example: 


CLI> configure terminal 
CLI (configure)> interface loopback 0 
CLI (config-if)> ? 








bandwidth - Set bandwidth informational parameter 
crypto - Encryption/Decryption commands 

default - Set a parameter to its default value 
description - Interface specific description 

exit - Exit from interface configuration mode 
ip - Interface IP configuration commands 

no —- Negate a command 

service-policy - Configure QoS service policy 

shutdown - Shutdown the interface 

<cr> 


CLI (config-if)> 
Enabling Multiple Configuration Sessions 


By default only one configuration session (under configure terminal) is allowed at atime. 


To allow more than one configuration session at a time (up to 10, one local console session plus 9 other 
sessions e.g. 9 Telnet sessions), use the following command in global configuration mode: 


CLI (configure)> set multiple-conf-sessions enable 


To return to the default behavior and disallow multiple configuration sessions at a time: 


CLI (configure)> set multiple-conf-sessions disable 
Saving the Configuration on a Permanent Disk 


The user can save the running configuration (volatile storage) into the startup file for boot specified in the 
file bsaBoot.inf, or into a specific file when specified with the CLI save command (after leaving CLI 
configuration mode): 


CLI> save running-config [to <filename>] 


This command has the same effect as the write mem command. 


An event message can be triggered when saving the running configuration using the following command in 
global mode (refer to 2.11.2 for more information about event filters): 


CLI> event filter add adm config config-upd <action> 
Automatic and Periodic Backup of the Configuration 


To program an automatic and periodic backup of the saved configuration file (see above) and optionally of 
the IBC database files (see "OneOS — IBC User Guide" document), use the following commands in global 
configuration mode: 


CLI (configure> config-management 

CLI (config-management)> backup-copy [configuration-and-database] 

{ daily | weekly | monthly } <HH:MM> 
CLI (config-management)> exit 

CLI (configure> 





The configuration file and optionally the IBC database files will be backed up in the /BSA/config 
directory every day or week (every 7 days) or month (every 30 days) at time HH: MM. 


The backup command can be entered up to three times (daily + weekly + monthly) for each option 
(configuration file only — default — or configuration and IBC database files). Only one backup file (the last 
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one) is kept per time period. It is a bck text file for the configuration file only and a tar file for configuration 
and database backup. See example below. 


Two additional commands are available that can be used as information when retrieving the back upped 
files (these commands appear in the back-upped configuration file): 


CLI (config-management)> compatibility-index <0-255> 
CLI (config-management) > web-compatibility-—index <0-255> 





Example: 


CLI> 1s 
Listing the directory /BSA/config 


Autol-Yesterday-310710-09h15am.bck 1032 


Auto2-Lastweek-280710-09h15am.bck 1032 
Auto3-Lastmonth-270710-09h15am.bck 1032 
bsaStart.cfg 1032 
CLI> 


2.6.6 Editing a Configuration File 


The following is recommended for efficient configuration of an OneOS-based device: 
1. First, build the configuration in a text file on a PC using notepad.exe 

Open a Telnet session with the equipment 

Copy the configuration lines in the notepad window 


Paste the lines into the Telnet window 


ON oP, 100, 1S 


Save the configuration with the save running-config command if the configuration is to be used 
for the next reboot 


A second method consists of using the command copy. It is possible to upload the configuration on a PC, 
modify the configuration file with a simple editor such as notepad.exe, and download the configuration file. 


Example for uploading: 
CLI> copy /BSA/config/bsaStart.cfg tftp://193.1.1.2/c:\config.txt 


Example for downloading: 





CLI> copy tftp://193.1.1.2/c:\config.txt /BSA/config/bsaStart.cfg 


2.6.7 Scheduled Reboot 


After modifying a configuration it may be necessary to reinitialize the device: 


CLI> reboot [ after <seconds> 
| at <dd>/<mm>/<yy> <hh>:<mm>:<ss> 
| after no-voice-calls ] 


This is similar to a power down / power up procedure except that the ramdisk device is not cleared. If no 
argument is provided, the device reboots immediately. When using after <seconds> argument, a 
reboot is scheduled when the number of seconds has elapsed. at argument schedules a reboot at the 
provided date and time. In both cases a warning message scheduled reboot in 60 seconds 

is displayed 60 seconds before the actual reboot (only when configured delay is more than 60 seconds). 


after no-voice-calls argument schedules a reboot as soon as there is no voice call in process. 
If you wish to cancel a scheduled reboot, use the following command: 


CLI> reboot cancel 
2.6.8 Reboot and Test a New Configuration or Software Image 


You may want to test a new configuration file or test a new software image. For that purpose, a special 


Admin User Guide Page 2.6-20 of 130 


ONEOS V4.3R4 /V5.1R3 ADMIN USER GUIDE (EDITION 10) 


reboot command enables you to define a configuration file and a software image that are not the same as 
those contained in the /BSA/bsaBoot.inf file (default start parameters). With this command, the router 
reboots using the software image and configuration file and will re-use the default software image and 
configuration file at the next reboot, thus enabling you to check whether the new files are satisfying or not. 
The command line is the following: 


CLI> reboot-check [at <hh>:<mm>:<ss>] <sw-image> <config-file> 
at argument schedules a reboot at the provided time. If you wish to cancel a scheduled reboot, use the 
following command: 


CLI> reboot-check cancel 
2.6.9 Management of reboot log files 


When the device is going to reboot, a first log file is generated (except when reboot is due to power fail). 
Because the device can be in an "instable" situation following the reboot cause, this first log file contains 
information about the reboot in a raw format. This is done in order to secure its creation and use as few as 
possible system resources. After the reboot, a second log file is generated that contains the complete set 
of information that will allow off line debugging. 


The first log file is called a rawlog file also known as a secure-crashlog file while the second log file is 
called a crashlog file. 


The generation of the secure-crashlog file is enabled by default. The following command in global 
configuration mode allows disabling the generation of the secure-crashlog files. 


CLI (configure)> no system enable-secure-crashlogs 


Use the following command to restore the default behavior. 

CLI (configure)> system enable-secure-crashlogs 
Use the following command in global mode to display the number of secure-crashlog files that are 
actually stored in the /BSA/dump directory and sub-directories (maximum 5 files). 


CLI> show system secure-crashlog count 


Use the following command in global mode to display the content of the last secure-crashlog file. 

CLI> show system secure-crashlog 
Use the following command in global mode to erase all the crashlog files that are stored in the 
/BSA/dump directory. Use the -force argument to erase the files without asking for confirmation. 


CLI> system clean-crashlogs [-force] 
2.6.10 Reset of Device Configuration 


When using a device, it might be tedious to destroy the configuration. The following command simply 
erases the current configuration file and reboots immediately the device to take the default configuration 
enter in effect: 


CLI> erase saved-config 
2.6.11 Restoring Factory Settings 


This function enables to reload a router as if it was coming from factory. OneAccess factories can load a 
set of custom default files in flash of the router (to be discussed with OneAccess sales). 


As a first step, the restore-factory settings checks if flash: /BSA/binaries/OneOs exists and if itis a 
valid binary. In case of error, the restore factory settings function fails and an error message is displayed. 


If the above mentioned condition is met, the following actions are carried out: 


e Remove all files except certain system files 


o flash: /BSA/bsaBoot.inf 
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o flash: /BSA/binaries/OneOs 

o flash: /BSA/config/bsaStart.cfg 

o flash: /factory-backup/ (and all files found under that directory) 
o flash: /ibc (and all files found under that directory) 


o flash: /t f£tpboot (and all files found under that directory) 


e Restore certain system files based on specific security policies 
o Regenerate password file flash: /password 


o Regenerate file flash: /BSA/bsaBoot.inf 


e Restore certain content, based on "factory backup" content 


o if flash: /factory-backup/default-bsaStart.cfg exists, copy flash: /factory- 
backup/default-bsaStart.cfg to current configuration file (bsaStart .cfg) 


o if flash:/factory-backup/default-bsaStart.cfg does not exist, erase the start 
configuration (as given in flash: /BSA/bsaBoot. inf) 


o if flash:/factory-backup/default-web.tar exists, untar the file flash: /factory- 
backup/default-—web.tar in flash: /webroot/ (use the clean-up options; as the 
command: untar <file> <dest> clean-up all-sub-dir) 


o if flash: /factory-backup/default.wcfaccounts.ini exists, copy 
flash:/factory-—backup/default.wcfaccounts.ini in 
flash:/.wcfaccounts. ini; otherwise, erase .wcfaccounts.ini 


o if flash: /factory-backup/default-password exists, copy flash: /factory- 
backup/default-password into flash: /password 


The following command restores factory settings and reboots the OneOS-based router: 


CLI> restore factory-setting 
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2.7 SOFTWARE UPGRADE OF A ROUTER 


2.7.1 Upgrading a OneOS-based router 


There are several ways to upgrade a router with a new software release. This manual proposes to follow 
the following steps. Prior to making a software upgrade, it is strongly advised that you read information 
about the file system (2.3) and configuration management (2.6). 


First, you should verify that the file bsaBoot.inf has the following content. The verification is done as 
follows: 


CLI> cd /BSA 

CLI> cat bsaBoot .inf 

flash: /BSA/binaries/OneOs 
flash: /BSA/config/bsaStart .cfg 


The content of bsaBoot . inf, as listed above, conforms to OneAccess standard factory settings. The new 
software that you will load on the router will have to be named OneOs in the directory /BSA/binaries. 
The old software must be first saved under a new name (for backup): 


CLI> ed /BSA/binaries 


Before downloading the new software, please check that the flash disk provides enough space for the new 
file. 


CLI> show device status flash: 
If needed, remove older software with the rm command. Then, the new software must be downloaded via 
FTP or TFTP. Here is an example with TFTP: 

CLI> copy tftp://193.1.1.2/c:\tftp:\OneOs OneOs.new 


Optionally, you could have provided a source IP address (like loopback 1) for the TFTP transfer as follows: 
CLI> copy tftp://193.1.1.2/c:\tftp:\OneOs OneOs.new loopback 1 

Be careful that the file system is case sensitive. In other words, if OneOs is mistyped (wrong capital 

letters), the boot software will not start any software (e.g.: Oneos is wrong). 


Before rebooting, you can check the content of the directory: 


CLI> 1s 
OneOs 
OneOs .new 


To verify the downloaded OneOS checksum: 


CLI> verify soft-file [<path>/]<filename> 


CLI> show soft-file info [<path>/]<filename> 


For example: 





CLI> verify soft-file OneOs.new 
file is OK 


Finally, rename the file: 


CLI> mv OneOs OneOs.old 
CLI> mv OneOs.new OneOs 
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2.7.2 Up 


grading a ONE10 


Please read carefully the last section. On products were the flash space is limited (like the ONE10), the 


ramdisk i 
new One 


C 


Then ver 


s extended so that a new OneOS can be downloaded in the ramdisk; it is more secure to copy the 
OS into the ramdisk. Example: 


LI> copy tftp://193.1.1.2/c:\tftp:\OneOs ramdisk: /OneOs.new 


ify the integrity of the downloaded file: 





C 


LI> verify soft-file ramdisk: //OneOs.new 


file is OK 


Replace 


the old OneOS: 


CLI> copy ramdisk://OneOs.new flash: //BSA/binaries/OneOs 
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2. 


8 


PASSWORD RECOVERY 


Password recovery is needed when local passwords stored on the router are lost. With the password 
recovery procedure, all users/passwords in flash memory are deleted and the "admin"/"admin" 
login/password become then valid. However, a full restore of factory settings is done, meaning that the 
router configuration is also deleted. To learn more about "Restoring Factory Settings", please consult 
26.11. 


Password recovery is done by entering the following key sequence: <ESCAPEs>, then <CTRL>+Y and 
finally <CTRL>+4N. 
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2.9 CONFIGURATION RECOVERY 


2.9.1 Introduction 


The router boots up with a default startup-configuration that could be loaded at factory and guarantees that 
the network can be reached. A new configuration is imported on the router flash and the router is rebooted 
with that new configuration. In the event of the new configuration is not satisfactory, the router should 
reboot with the configuration specified by the recovery mechanism. The new configuration must have the 
configuration recovery mechanism configured using the CLI detailed in this chapter. 


Telling that a configuration is not satisfactory is a generic term. The criteria to define a configuration as 
being invalid must be well defined; they are: 


e configuration causing the router to crash; 


e configuration causing the router not to reach a specific IP address (that should be the network 
management IP address; if this IP can be reached, we consider that the NOC (Network Operations 
Center) can still fix the configuration remotely in case of incomplete configuration execution); 


e SIP gateway registration fails. 


When the backup-configuration is set, bsaBoot.inf points to the backup-filename as long as the above 
backup criteria are not met. The backup instructions appear at the top of the show running-config; in 
other words, the configuration backup is done potentially before a faulty CLI command is executed. 


The backup-filename must fulfill the following conditions: 
e backup-filename exists, is not empty and has a file size that is less than 100 Kbytes 
e The file contains only valid ASCII characters (A-Z, a-z, 0-9, \r\n\t, all punctuation marks) 


e backup-filename contains the string configure terminal. That’s just a small check in order to 
make sure the backup file looks like a configuration file. 


The connection status is verified using ICMP echoes with a default timeout of 3sec and/or the SIP 
registration. At the first successful ping, the ping test stops. After the configured backup-configuration 
criteria are all met, /BSA/bsaBoot .inf is restored and points again to the running-config. 


If no successful ping is realized or no sip-gateway registration is realized or if the router crashes during 
configuration loading, the router reboots with backup-configuration. A notification message is generated to 
tell the final result of the "backup-configuration" test. 


2.9.2 Configuration Commands 
First, the criteria to reboot with backup configuration must be defined within a check list: 


CLI (configure)> [no] check-list <name> 
CLI (config-chk-list) > 





Sending a ping to a destination can serve as backup criterion: if the ping fails, the router reboots with 
backup configuration. If the ping criterion is used, the next command must be entered 


CLI (config-chk-list)> ping target <ip-address> 


All the following parameters are optional. The initial delay before sending the first ping is by default 
60 seconds. To modify this value, enter: 


CLI (config-chk-list)> ping init-delay <seconds> 


Every ping is sent every 10 seconds; to choose another interval: 


CLI (config-chk-list)> ping retries-interval <seconds> 


By default, the source IP of ping packets takes the IP of the output interface. To force this IP: 











CLI (config-chk-list)> ping source <interface> <unit> 
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The timeout to consider a ping test failed is 3 seconds. To remove the ping criterion: 


CLI (config-chk-list)> no ping 


To use SIP gateway registration status as backup criterion, the command is: 


CLI (config-chk-list)> [no] sip-gw-registration 


Then, enter exit: 








CLI (config-chk-list)> exit 


The check list is an object whose status is OK or KO (the overall status is OK only if sip-gateway 
registration and ping tests are OK). The check list is then attached to a backup configuration element. If 
the checklist is not OK at the backup configuration timeout, the router reboots with the backup filename as 
start configuration. The configuration of backup configuration is as follows: 


CLI (configure) > backup configuration 
CLI (cfg-backup) > 


The checklist is attached / detached with the next commands: 


CLI (cfg-backup) > checklist <name> 
CLI (cfg-backup)> no checklist 


The default timeout is 180 seconds: 


CLI (cfg-backup) > timeout <seconds> 


The backup filename is entered with the command below: 


CLI (cfg-backup)> filename <path/name> 


Example: 


configure terminal 
! Start by setting the backup configuration 
backup configuration 
filename /BSA/config/mylastgood.cfg 
timeout 240 
check-list mylist 
exit 
! Then set the check-list configuration 
check-list mylist 
Ping target 10.10.10.1 
ping init-delay 30 
ping retries-interval 30 
Ping source bvi 3 
sip-gw-registration 
exit 
! Continue with my nominal equipment configuration 
(Caters) 


exit 





2.9.3 Statistics 


CLI> show system backup configuration 

overall status: {not configured|test in progress|no configuration backup needed} 
check-list name: mylist 

[check-list status: {not existing|not configured|pending|unsuccessful| successful}] 
CLI> show check-list [<check-list-—name>] 

check-list: mylist 

- ping init-delay: 30 

- ping retries-interval: 30 

— ping source: bvi 3 

- ping target: 10.10.10.1 

—- ping status: {not configured|pending|unsuccessful| successful} 

SIP gateway registration status: {not configured|pending|unsuccessful | successful} 


Admin User Guide Page 2.9-27 of 130 


ONEOS V4.3R4 /V5.1R3 ADMIN USER GUIDE (EDITION 10) 





2.10 SNMP BASED MANAGEMENT 


The device is manageable via the SNMP protocol, by means of its embedded SNMP agent. 


The device can be managed using three security models: SNMP v1, SNMP v2C or SNMP v8 protocol. The 
first two protocols provide a lower level of security, the latter offers the ability to authenticate and encrypt 
SNMP messages. 


By default, the IP source address of SNMP messages is the IP address of the outgoing interface used by 
these SNMP messages. To set another SNMP IP source address, use the following command in global 
configuration mode. Use any to return to the default interface. 


CLI (configure)> snmp source { <interface> | any } 
SNMP source is by default in the default VRF. Use the following command to set the VRF. Use the no 
form to return to the default VRF. 

CLI (configure)> [no] snmp vrf <vrf-name> 
By default, the IP source address of SNMP traps is the IP address of the outgoing interface used by these 


SNMP traps. To set another SNMP trap IP source address, use the following command in global 
configuration mode. Use any to return to the default interface. 


CLI (configure)> snmp trap-source { <interface> | any } 
SNMP trap source is by default in the default VRF. Use the following command to set the VRF. Use the no 
form to return to the default VRF. 

CLI (configure)> [no] snmp trap-source vrf <vrf-name> 
By default OneOS provides, for the MIB2 IfDescr MIB, names of physical interfaces with the suffix 


_physical (e.g. "bri0/0_physical"). To remove the suffix as in CLI commands (i.e. "brid/0") the 
next command is available. Use the no form to return to the default behavior. 


CLI (configure)> [no] snmp mib-ifdescr short 
By default OneOS provides, for the MIB2 IfDescr MIB, interface names with no space between interface 


and unit (e.g. "fastEthernet0/0"). To add a space as in CLI commands (i.e. "fastEthernet 0/0"), 
the next command is available. 








CLI (configure)> snmp config ifdescr-—with-space 


Use the following command to return to the default behavior (with no space). 


CLI (configure)> snmp config ifdescr-—no-space 
2.10.1 SNMP v1/v2 


To restrict access to device management data by using SNMP v1/v2, community names can be defined. 
The following command sets the community for read only access: 


CLI (configure)> snmp set-read-community <ro-community> [<encryption>] 
[<acl-name>] [v2group <group-name>] 
encryption is optional. When set to 0, the password is entered in clear text. When set to 1, the 
password is entered already encrypted using the encryption algorithm #1. 
The next command sets the community with the readt+write access: 
CLI (configure)> snmp set-write-community <rw-community> [<encryption>] 


[<acl-name>] [v2group <group-—name>] 


By default, public community is used for read-only access, while private community is used for read- 
write access. To remove SNMP v1 and SNMP v2 access, use the following commands from the 
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configuration mode: 
CLI (configure)> no snmp set-write-community 


CLI (configure)> no snmp set-—read-community 


SNMP v1 and v2 traps are configurable, provided that event managers are configured. For more 
information, go to the next chapter on traces and events. 


2.10.2 View-Based SNMP Access Control 


SNMP views can be configured to allow certain users to read, write or be notified for only certain parts of 
the MIB tree. SNMP views are typically configured when a telecom operator wants to access all MIB while 
allowing its customers to only see part of the MIB tree (e.g. counters related to the LAN/WLAN interface). 


The default views are the following: 
e videfault: all MIBs except the OID 1.3.6.1.6, i.e. the SNMP v3 objects 
e = v3default: all MIBs 


To configure an SNMP view, use the following command line: 


CLI (configure)> snmp view <view-name> <oid> { included | excluded } 





CLI (configure)> no snmp view <view-name> [<oid>] 


oid stands for the root Object ID in the MIB tree (is in the form a.b.c.d...). For example, the 1.3.6 OID 
stands for access to the whole Internet MIB. included indicates that the objects part of this sub-tree are 
part of the view. excluded means they are not visible. You can combine included and excluded sub-trees 
for the same view-name. It enables to define sub-trees that are globally visible, except few items in the 
sub-tree. 


SNMP groups give access-rights and authorization to a group of users. A group tells the minimum security 
level to use for users belonging to this group. To configure a SNMP group, use the following command: 


CLI (configure)> snmp group <group-name> {vl | v2c | v3 | v3auth | v3priv} 
[read <view-name>] [write <view-name>] 
[notify <view-name>] [acl <acl-name>] 


CLI (configure)> no snmp group <group-name> {vl |v2c |v3 | v3auth | v3priv} 


Then, the group is required when configuring SNMP v3 users (see next paragraph). 
To apply the SNMP view on a read/write v2C community, use the following command: 
CLI (configure)> snmp { set-—read-community | set-write-community } 
<community> [<acl-name>] v2group <group-name> 


2.10.3 SNMP v3 


SNMP v3 manages three levels of security: 


e The lowest level of security provides the same level of security as in v1 or v2. A user name 
authenticates SNMP packets. 


e Amedium level of security provides authentication using one authentication algorithm: MD5 or SHA1. 
This technique ensures data integrity and data origin authentication. 


e The high level of security, in addition to authentication, provides encryption with DES algorithm. This 
permits privacy of management flows 


2.10.3.1_ Basic Configuration 


To configure access to device management data by using SNMP v3, user names can be defined. Prior to 
configuring users, a unique engine ID must be defined. By default, engineId is based on the MAC 
address of FastEthernet interface. To configure a new enginelId, use the following command in 
configuration mode: 


CLI (configure)> snmp engine-id <enginelId> 
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Warning: As user security parameters are associated with local engineId, a change in the 
engineld automatically removes all configured users. 


To reset the default engineId, use the following command in configuration mode. As key material is 
tightly related to the engineTId, all users declared prior the change, have a wrong key material. It is 
strongly advised to reconfigure password for each user, so that user configurations become valid. 


CLI (configure)> default snmp engine-id 


To create an SNMP v3 user, use the following command in configuration mode: 





CLI (configure)> snmp user <user-name> <group-name> v3 
[ auth { md5 | sha } <auth-password> 
| priv { des | 3des } <priv-password>] 


If nor authenticated nor encrypted, accesses are chosen when configuring user; then the lowest security 
level is configured for that user. The chosen group security profile must match the user’s one: a group 
configured with only the attribute auth can only be associated with users’ v3 authentication (without 
encryption). If it is required to activate authentication and privacy, two commands must be entered; for 
example: 


CLI (configure)> snmp user username groupname v3 auth md5 authpassword 
CLI (configure)> snmp user username groupname v3 priv des encpassword 


The following command is deprecated and replaced by recommended command above: 





CLI (configure)> snmp user <user-name> <group-name> v3 

[ auth { md5 | sha } <auth-password> 

| encrypted auth { md5 | sha } <priv-password>] 
To remove a user, use the following command in configuration mode: 


CLI (configure)> no snmp user <user-name> v3 


Example: 


snmp group v3grp v3priv read view_all write view_all 
snmp view view_all 1.3 included 

snmp user v3user v3grp v3 auth md5 v3useruser 

snmp user v3user v3grp v3 priv des v3useruser 


Under Linux, the SNMP Walk command is: 


snmpwalk -v 3 -u v3user -a MD5 -A v3useruser -x DES -X v3useruser 10.100.30.1 1.3 


SNMP v8 traps are configurable, using event managers. However, users need to be declared so that 
necessary security level is retrieved inside the agent. 


2.10.3.2 SNMP v3 Informs 


To send SNMP v3 informs, remote users and remote entities need to be known. 


Inform requests are notifications that have to be acknowledged by the remote SNMP v3 entity (the 
manager where informs are sent). When sending an inform request, the manager answers to the device 
management with a response PDU. This reply ensures the emitting OneOS-based routers that the 
notification reached its intended destination. 


SNMP v3 informs are sent with the associated security parameters of the remote manager that is to say, 
the remote enginelId, and the associated user security parameters. 


There are several ways to know the remote engine ID. To retrieve the engineId, and its timing 
parameters from a remote IP address, use the following command in global configuration mode: 


CLI (configure)> snmp discover remote-agent <A.B.C.D> 


This command triggers a discovery process that sends SNMP get request packets and waits for SNMP 
get responses from the remote entity. 


It is also possible to manually configure an engineId associated with an IP address with the following 
command in configuration mode: 
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CLI (configure)> snmp engine-id <engineId> remote <A.B.C.D> 
[ max-msg-size <0-8192>] 


If the above commands are successful, the retrieved engineTd is saved in a local configuration datastore 
(LCD). 


The LCD can be filled in dynamically when triggering the discovery process by sending an SNMP v3 
inform, or by configuring an SNMP v3 user. 


To delete a remote enginelId from the local configuration datastore, use the following command in 
configuration mode: 


CLI (configure)> no snmp engine-id <engineId> remote <A.B.C.D> 


The command below creates a SNMP v3 user with its remote IP address. A discovery process will retrieve 
the remote engineTId to get authentication or encryption keying material. 


CLI (configure)> snmp user <user-name> <group-name> v3 
remote ip-address <A.B.C.D> 
[ auth { md5 | sha } <auth-password> 
| encrypted auth { md5 |sha } <priv-password>] 


To configure a user without triggering the discovery process, you can associate a user to the remote 
engineld by using the following configuration command: 


CLI (configure)> snmp user <user-name> <group-name> v3 
remote engine-id <enginelId> 
[ auth { md5 | sha } <auth-password> 
| encrypted auth { md5 | sha } <priv-password>] 


To remove a remote user from the local configuration datastore, use the following configuration command: 


CLI (configure)> no snmp user <user-name> v3 remote engine-id <enginelId> 
CLI (configure)> no snmp user <user-name> v3 remote ip-address <A.B.C.D> 





Use the following configuration command to define in seconds the timeout for informs responses. Use the 
no form of the command to use the default value (15s). 


CLI (configure)> [no] snmp informs timeout <2-60> 
Use the following configuration command to define the number of retries for informs sending. Use the no 
form of the command to use the default value (8). 


CLI (configure)> [no] snmp informs retry-count <0-255> 
2.10.4 IPv6 Access Lists 


An |Pv4 access list can be attached to either SNMP communities (SNMP V1/v2) or to SNMP group (SNMP 
v1/v2/v3). The SNMP manager is enabled de-facto when IPvé6 is enabled in the OneOS-based router. An 
IPv6 access-list can be bound to the SNMP manager to prevent unwished access from specified sources. 
The ACL binding is configured as follows under global configuration mode: 


CLI (configure)> bind snmp acl ipv6 <ipv6-acl> 
2.10.5 Miscellaneous 


At any stage of the configuration, information about the SNMP agent can be modified. To configure the 
location of the device, use the following command line: 


CLI (configure)> [no] snmp location <text: 1-255 char> 


To configure the person to contact, for managing the device, use the following command line: 


CLI (configure)> [no] snmp contact <text: 1-255 char> 


To configure a string that uniquely identifies the equipment, use the following command line: 


CLI (configure)> [no] snmp chassis-id <text: 1-255> 


By default, chassis-id is a MIB variable given by the manufacturer; this identifier is made up of the type of 
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equipment followed by a serial number. 


In order to avoid IP fragmentation, the SNMP v1, v2 and v3 agent provides a command line to limit the 
maximum SNMP message packet size. Thus, if forged SNMP messages are greater than the configured 
packet size, an SNMP 'too big' message is sent to the manager. 


CLI (configure)> snmp max-message-size <size: 484-8192> 
SNMP v3 agent uses this maximum value to limit the size of outgoing SNMP packets. In addition, this 


maximum message size is sent in SNMP v3 queries, as the remote entity is not allowed to respond with 
messages greater than the size requested by initiator. 


To restore the default values, use the no form of the command: 


CLI (configure)> no snmp max-message-size 
2.10.6 Event Managers 


To add a SNMP manager (up to 10 managers are supported), use the following command in global mode: 
CLI> event manager { <A.B.C.D> | <X:X:X::X> | <name> } [<port>] 
[v1 | v2 | v3 | v3auth | v3priv] 
[<name>] [<encryption>] [informs] 
e port is the destination port for sending traps. 
e  viand v2 are for sending SNMP traps V1 and V2. 


e =V3, v3auth and v3priv are for sending SNMP traps V3 without authentication, SNMP traps V3 with 
authentication and SNMP traps V3 with authentication and privacy. 


e name is the community string for SNMP V1 and V2, and the username for SNMP V3. 


e encryption (only available for SNMP V1 and V2) is set to 0 to have the community string entered in 
clear text then encrypted, and set to 1 to have the community string entered already encrypted. 


e informs (only available for SNMP V3) is used to sent inform messages to the manager. 


If neither port, nor version, nor name is chosen, then a manager will be created with the given address, 
with the community string "public", version 2, and destination port 162. 


To remove a SNMP manager, just use the following command: 


CLI> event no manager { <A.B.C.D> | <X:X:X::X> | <name> } [<port>] 
[v1 | v2 | v3 | v3auth | v3priv] 
[<user>] [<l:encrypted>] [informs] 
To display the configured event managers, use the following command line: 
CLI> show event manager 


10.1.2.1:162 V2 "public" 
10.1.2.1:162 V3 "admin" authPriv 


2.10.7 Adapting SNMP Traps 


By default, a SNMP trap is sent for the following events: cold/warm start, link up/down, authentication 
failures (bad SNMP communities). 


To enable/disable such standard SNMP traps, use the following command: 


CLI (configure)> [no] snmp traps { standard | acl | bgp | ipsec | isakmp 
| isdn | nat | pstn | vrrp } 


2.10.8 Debugging SNMP 


You can use the following command to help you debug configuration issues with SNMP: 


CLI> debug snmp [packet | info | inform | error] 


The options provide the following information: 
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e packet: source/destination IP addresses of SNMP packets 
e info: detailed information of SNMP packets 
e inform: details about SNMP informs 


e error: protocol errors and warning (such as failing authentication) 
2.10.9 SNMP Statistics 


At any stage of the configuration, information about SNMP can be displayed. To display the statistics 
related to SNMP, use the following command line: 


CLI> show snmp statistics 

SNMP statistics: 

IN: 120 total 

0 bad version, community error: 0 bad name, 0 bad uses 

ASN parse errors, trap authentication enabled 

bad types, 0 too big, 0 no such name, 0 bad values 

read only, 0 gen error, 120 total req, 0 total set 

get requests, 120 get next, 0 set requests, 0 get responses 

unknown security models 

invalid, O unknown PDU handler, 0 unavailable context, 0 unknown context 
unsupported sec level, 0 unknown engine Id, 0 wrong digest, 0 decryption error 
OUT: 126 total 

0 too big, O no such name, 0 bad values 

0 read only, O gen error 

0 traps, 120 get responses 


oo00000o 


Use the following clear command in global configuration mode to reset SNMP counters: 


CLI> clear snmp statistics 


To display the SNMP v1 and v2 configuration elements, use the following command line: 


CLI> show snmp community 
no SNMP write community configured 
SNMP read community: public 


To display the configured managers, use the following command line: 


CLI> show snmp managers 
10.1.2.1:162 V3 "guest1l" noAuthNoPriv 
10.1.2.1:162 V3 "admin" authPriv 


To display the configured SNMP v3 engine ID, use the following command line: 


CLI> show snmp engine-id 
Local SNMP enginelId: 
80003387030008005101001b 


To display the configured SNMP v3 users, use the following command line: 


CLI> show snmp users 
user group EnginelId active 
admin private 80003387030008005101001b yes 
guestl1 public 80003387030008005101001b yes 


To display the configured SNMP v3 groups, use the following command line: 


CLI> show snmp groups 

groupname: public security mode:v3 no auth 
read view: all write view: <none> 

notify view: all state: active [nonvolatile] 


groupname: private security mode:v3 auth 
read view: all write view: all 
notify view: all state: active [nonvolatile] 


To display SNMP views configured, use the following command line 


CLI> show snmp view 

snmp view all 1.3.6 included - active [nonvolatile] 

snmp view videfault 1.3.6 included - active [nonvolatile] 
snmp view videfault 1.3.6.1.6 excluded - active [nonvolatile] 
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2.11 TRACES AND EVENTS 


2.11.1 Introduction 


The equipment can provide event information about the interfaces and protocols on the CLI, console port, 
and in a log file managed by the file system. Some events can also generate SNMP traps. 


2.11.2 Event Filters 
To read the events, filters must be defined. Each filter defines a family of events, a severity code and the 
output device (CLI, Console, file, SNMP trap, syslog). 
e CLI: displays the filtered events on the CLI session, from which the filters were created 
e File: records the filtered events in a file. 
e Console: shell/debug interface on the serial port 


e SNMP trap: upon occurrence of the selected events, the information will be sent to the SNMP 
manager as an SNMP trap. This mechanism permits the user to select specific events, which shall be 
monitored in the SNMP management system. 


e Syslog: the event is sent to a syslog server. 


Several filters can be simultaneously defined. When an event is matched by one the filters, the event is 
recorded. 


To add a filter: 


CLI> event filter add <group> <family> { all | <subfamilies> } [<type>] 
[<severity>] <action list> 


group: sys (for system), adm (management), wan (data interfaces), ip, vox (voice) 
family: depends on the selected group 

subfamilies: depends on the selected family & group 

type: (optional) may be info, warning, error, fatal, event 

severity: (optional) 1 to 8 

action list: oneor more of the following actions: DROP, LOG, SHOW, MEM, TRAP, SYSLOG 





List of possible actions (several actions can be configured simultaneously): 


oO 


ROP: Event is suppressed. 
e LOG: Event is recorded in a file. 
e SHOW: Event is output on the console port (shell). 


K¢ 


EM: Event is stored in memory to be displayed on the CLI interface. 





e TRAP: Generation of SNMP v1 traps towards a SNMP manager that must be configured (see below). 


e SYSLOG: Generation of events to a SYSLOG server that must be configured. 


Example: 
CLI> event filter add sys GSHDSL ALL SHOW MEM LOG TRAP 


To show the current filters, enter: 





CLI> show event filters 
Filter 1: g:SYS f: +GSHDSL, sf: ALL, sever: All, 
type: All,action LOG+SHOW+MEM+, argument NONE 


To remove all the filters, enter: 
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2.11 


2.11 


CLI> event filter remove all 
To remove a specific filter (for example #2), enter: 


CLI> event filter remove 2 


.3 Reading the Events 


The events are formatted as follows: 


<time> <date> <type> <group> <family> <subfamily> <text> 


Examples of events on a DSL uplink: 


15:21:48 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 new internal state ST_TIME 
15:21:58 28:09:2044 Info SYS GSHDSL EVT10 1 Gshdsl if=0 new internal state ST_STRT 
15:22:31 28:09:2044 Event SYS GSHDSL EVT11 1 Gshdsl if=0 UP 


If the SHOW action is selected, the events appear immediately on the console/debug interface. 


If the MEM action is selected, the events are recorded in memory and can appear on the CLI interface. This 
command must be entered to view the events: 


CLI> monitor events 


The screen is cleared before the events appear and it is no more possible to enter a CLI command. To 
return to CLI mode, enter ESC. 


If the LOG action is selected, the events are recorded in the file system (ramdisk device) in two files: 
eventl.log and event2.1log (event1.1og is used first and event2.1log is used when event1.log 
is full, etc.). The files can be uploaded in a TFTP server. 


CLI> devs ramdisk: 
CLI> 1s 

Listing the directory / 
tmp/ 512 

eventl.log 3021 
running-config 664 
event2.log 840 


To recover the events recorded in memory (filter defined with MEM action) after a crash and to display them 
on the CLI, enter: 





CLI> event recover show 


To recover from memory and save the events in a file (for example: tr1.log) after a crash, enter: 


CLI> event recover file trl.log 


4 System Logging 


The system logging is based on the same mechanism as the "events" mechanism explained above. The 
following command activates the traces and determines the media where the traces are redirected (under 
configuration terminal): 


CLI(configure)> [no] logging { buffered | console | file | syslog } 
{ alerts | critical | errors | warnings | notifications | informational 
| debug } 


The first argument has the following meaning: 
e console: the traces are output on the console interface. 


e buffered: the traces are stored in device memory. They can be displayed afterwards using the show 
logging command. This is the fastest procedure for redirecting traces, thus impacting less the 
device performances. When remotely connected using telnet, the monitor trace command allows 
viewing the traces on the fly at the same time when they are buffered. 


e file: the traces are recorded under ramdisk:/. First, traces are dumped into the file named 
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tracel.log. When tracel.log is full, trace2.log is used. When trace2.1log is full, 
tracel.log is erased then re-created and new traces are written in this file. 


e syslog: the traces are sent to a syslog server. The syslog client configuration must be done. 
To insert a line-feed automatically for every syslog message: 


CLI (configure)> [no] logging syslog split-CRLF 


The second argument provides the level of details to filter traces, alerts being the least detailed filter and 
debug providing the most traces. 


To show the current logging options and to display the buffered logs, use the next command: 


CLI (configure)> show logging 


Example: a user wishes to view on the fly the debug traces for NAT from a telnet session. Here is the list of 
instructions to enter. 


CLI# configure terminal 

LI (configure) # logging buffered debug 
LI (configure) # exit 

LI# debug ip nat 

LI# monitor trace 





The memory buffer size can be increased/decreased if necessary (default size 16364 bytes). Note that the 
default value is nevertheless displayed in show running-configuration. 


CLI (configure)> logging buffered size <16364..131072 bytes> 


The log file size can be increased/decreased if necessary (default size 20000 bytes): 





CLI (configure)> trace logging max-filesize <200..20000 bytes> 


Every trace can be generated with the device date and time or the current -time or the device up time: 


CLI (configure)> [no] logging timestamp { datetime [msec] [timezone] 
| time | uptime} 


With datetime the optional msec argument adds the milliseconds to the actual date and time, and the 
optional timezone argument adds the time zone. 
With time only the actual time is displayed. 


With uptime the displayed time is related to the device up-time. 


The memory buffer can be cleared (erased) on request using the following command: 


CLI (configure)> clear buffered-logging 


2.11.5 Configuration History 


This facility records all passed configuration commands since the router has rebooted. This logging is 
activated by default (stored in RAM memory). 


The history file size can be increased/decreased if necessary (default size 128 Kbytes): 


CLI (configure) > logging config-history max-size <10..256 Kbytes> 


Use the following command to de-activate the logging. Note that this command empties the history file. 





CLI (configure)> no logging config-history 
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Use the following command to re-activate the configuration logging: 


CLI (configure)> logging config-history enable 


Use the following command to display the history of configuration commands file: 


CLI> show command-config 


Admin User Guide 
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2.12 PING & TRACEROUTE 


2.12.1 IPv4 Ping 


It is possible to ping a device from the CLI: 


CLI> ping [-t] <target> [<source-address>] [<options>] [vrf <vrf-name>] 





—t (optional) enables a periodical ping, which can be stopped by entering ESCAPE. 











source-address is optional. If not provided the IP source address is the primary IP address of the ping 
output interface. 


The options for the ping command are the following: 

e  -1: size of packet (between 64 and 20,000 bytes) used for ping (100 bytes by default) 

e -n: number of packets (between 1 and 10,000) used for ping (5 packets by default) 

e -v: type of service: no-tos, low-delay, throughput, reliability, min-cost (no-tos by default) 


e dscfield: set the Differentiated Services field value (between 0 and 255) according to RFC 2474. 
Note that this option overwrites the —v option. 


e -f:set don't fragment flag (DF bit not set by default) 
e -w: timeout in seconds (between 1 and 60 seconds) to wait for each reply (8 seconds by default) 


vrf-—name is also optional. If not provided the default VRF is used. 


Example: 
CLI> ping 220.13.1.3 20.13.0.10 


Type escape sequence to abort. 
Sending 5 100-byte ICMP echos to 220.13.1.3 from 20.13.0.10, timeout is 3 seconds: 
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/3/4 ms 


Chie 


2.12.2 IPv6 Ping 


The IPv6 ping command syntax is the following: 


CLI> ping6 <destination-ipv6> [size <bytes>] [repeat <ntimes>] 
[timeout <seconds>] [source <src-addr>] [traffic-class <class>] [-t] 


The options are the following: 

e size: size of the ICMP packet. 

e repeat: number of sent ICMP echoes. 

e timeout: number of seconds to consider that an ICMP echo is not replied. 
e source: source IPv6 address of ICMP echo. 

e traffic-class: value of IPv6 traffic class (equivalent of IPv4 TOS). 


e -t: endless ping (until interrupted via ESCAPE key). 
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2.12.3 Xping (Extended Ping) 


The xping command may be used to initiate several ping sessions for different targets. 


The command measures the minimum, average, round trip jitter and maximum ping response time. 


Command for creation of a new xping session: 


CLI> xping <session-name> 
CLI (xping) > 





Then, the xping session (called session-name) must be then configured. The following parameters are 


available: 


CLI(xping)> ? 

activate - Activate xping session. 

address - Set target ip address. 

data-size - Set datagram size for the icmp packet. 
deactivate - Deactivate a session. 

df-flag - Sets the DF flag on outgoing packets. 
dsfield - DS field for IPv4. 

exit - Exit xping mode. 

frequency - Set ping frequency (interval in seconds). 





life-time - The amount of time the session remains active (in minutes). 





probe-count Set the number of packets sent for each ping. 
show - Display xping session configuration. 

source - Set source address. 

target - Set target host name. 

timeout Set request time out. 

vrf - Use VRF 

<cr> 

CLI (xping) > 





The source address is optional but must be a valid IP address if it has been specified. This command must 


be entered to view all the declared sessions in real time: 


CLI> monitor xping 


The screen is cleared and shows real-time statistics for all the configured sessions. To return to the CLI 


mode, enter ESC. 
The xping sessions are removed with the command: 


CLI> no xping <session-name> 


2.12.4 Trace Route 


The list of IP nodes from the device to a destination can be traced: 


CLI> traceroute <target> [<source-address>] [<options>] [vrf <vrf-name>] 


[icmp] 


source-address is optional. If not provided the source IP address is the primary IP address of the 
traceroute output interface. vrf-name is optional. If not provided the default VRF is used. icmp keyword 
is also optional. Use it to make traceroute use ICMP "echo" packets (instead of UDP packets by default). 


Advanced options are available: 


-1 - Packet size 


-i - Time to live 
-v - Type of service: [no-tos], low-delay, throughput, reliability,min- 
cost 


-£ - Set don't fragment flag 
-w —- timeout in seconds to wait for each reply 


The available range for the packet size is from 64 to 1500. The number of packets is restricted between 1 


and 15. The timeout can be configured between 1 and 60 seconds. 
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Example: 
CLI> traceroute 220.13.1.3 20.13.0.10 





Type escape sequence to abort. 
Tracing the route to 220.13.1.3 from 20.13.0.10 
1 20.13.1.3 2 msec * 2 msec 





2.12.5 IPv6 Trace Route 


The IPv6 traceroute command syntax is the following: 


CLI> traceroute6 <destination-ipv6> [size <bytes>] [timeout <seconds>] 
[source <src-addr>] [max-hops <num-of-hops>] 


The options are the following: 

e size: size of the used packet. 

e timeout: number of seconds to consider that the used packet is not replied. 
e source: source IPv6 address of the used packet. 


e max-hops: maximum number of hops to discover. 
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2.13 TELNET, TFTP & FTP CLIENT 


2.13.1 Telnet Client 


A Telnet client is embedded in the OneOS for contacting another device: 
CLI> telnet { <ipv4-address> | <ipvé6é-address> | <name> [ipv4|ipv6] } 


[<port>] [<interface> <unit>] [vrf <vrf-name>] 


name is only supported for IPv4 names. A source address can be provided via the optional parameter 
interface unit that must refer to a valid declared interface. The vrf-name is also optional. If not 
provided the default VRF is used (VRF is only supported with IPv4). 


Example: 
CLI> telnet 20.13.0.3 
Trying 203135053 .06 
Connected to 20.13.0.3. 
Exit character is '*]' or '*S$'. 


User Access Verification 
Password: 


2.13.2 Telnet Server 
A Telnet server is embedded in the OneOS to be contacted from another device. 
2.13.2.1_ Attaching the Telnet Server to an Interface 


The Telnet server is always on. Its source address is the one of the IP interface where the packets are 
routed. For example, if a Telnet client connects from the LAN, the IP source address used by the Telnet 
server is the primary address of the Ethernet interface. 


By default, the Telnet server can be accessed through any declared IP address. To restrict access to the 
IP address of a specific IP interface, enter in global mode: 


CLI> [no] bind telnet <interface> 
interface can be any IP interface such as: ethernet 0/0, fastethernet <intf>/<port>, 
gigabitethernet <intf>/port>, atm 0.x, loopback <id>, etc. 
This command can be entered several times. Use the no form to remove one interface from the list. 
To return to the default settings (Telnet server accessed from any interface), enter the following command: 
CLI> bind telnet any 
Example: to allow Telnet only on the IP address of the virtual IP address 0 (loopback 0), use the following 
command. 
CLI> bind telnet loopback 0 


After having entered the command, the Telnet server and CLI are only accessible using the IP address of 
the selected loopback interface. 


2.13.2.2 Restricting Telnet Access to a Pool of Hosts 


It is possible to restrict access to telnet clients by using a list of addresses standing for the list of permitted 
source IP addresses. Use the following command in global configuration mode: 


CLI (configure)> [no] bind telnet acl <acl-name> 
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Telnet server is enabled de-facto when IPv6 is enabled in the OneOS-based router. An IPv6 access-list 
can be bound to the telnet server to prevent unwished access from specified sources. The ACL binding is 
configured as follows under global configuration mode: 


CLI (configure)> [no] bind telnet acl ipv6 <ipv6-acl> 
2.13.2.3 Using a designated VRF 


Use the following command to use a designated VRF different from the default VRF: 


CLI (configure)> [no] bind telnet vrf <vrf-name> 


2.13.2.4 Configuring the Telnet Server Timeout 


If a connected telnet client is inactive during a certain time, it is disconnected. By default, any inactive 
telnet client is disconnected after 10 minutes. (Warning: previous OneOS releases used to have a 60- 
minute timeout). 


To change the telnet timeout: 


CLI (configure)> telnet timeout <seconds> 


To restore the default timeout, use: 


CLI (configure)> default telnet timeout 
2.13.2.5 Disconnecting a Telnet User 
This procedure functions for console, telnet and SSH users. First, you must retrieve the session ID of the 


host you want to be logged off. To get the session IDs of all connected users: 


CLI> who 


Then, enter the following command to disconnect the user (you need to have the admin user level): 


CLI> clear vty-session <session-id> 
2.13.2.6 Logging the Telnet Connections 


Remote connections to the telnet server can be logged using the following command in global 
configuration mode: 


CLI (configure)> logging telnet enable 
For each connection, the user name (login), the originating IP address, the connection date and time, the 
disconnection date and time and the disconnection cause (logout or timeout) are logged. 
To stop logging the telnet connections use the following command in global configuration mode: 


CLI (configure)> no logging telnet 


The telnet logging is recorded under flash: /. First, logs are dumped into the file named telnet1.log. 
When telnet1.1og is full, telnet2.1log is used. When telnet2.1og is full, telnet1.1log is erased 
then re-created and new logs are written in this file. 


The log file size can be increased/decreased if necessary (default size 8200 bytes): 


CLI (configure)> logging telnet max-filesize <82..8200 bytes> 


2.13.3 TFTP Client 


A standard TFTP client is embedded in the OneOS, which enables the downloading and uploading of files 
from a remote TFTP server using the following command in global mode: 


CLI> copy <source-file> <destination-file> 
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[{ <source-address> | <source-interface> <unit> }] 
[vrf <vrf-name>] 


The vrf-name is optional. If not provided the default VRF is used. Either the source file or the destination 
file can be of the form: 


tftp://<tftp-server>/<filename> 


The source address used in the TFTP messages can be: 
e Adefined IP address using source-address. 
e The IP address of the referenced interface using source-interface unit. 


e The IP address of the referenced interface using the global source address configuration command 
(see below) if none of the 2 addresses above is defined. 


e The IP address of the interface used by the TFTP protocol if none of the 3 addresses above is 
defined. 


In all cases the IP address must be known by the device. 
To define a global source address, use the following command in global configuration mode: 


CLI(configure)> [no] ip tftp source-interface <source-interface> <unit> 


Use the no form of the command to remove de global source address. 


Refer to the copy command whose examples are described in this guide. 


2.13.4 TFTP Server 


A TFTP server is embedded in the OneOS, only to upload files to another device. By default files to upload 
have to be located in the /t ftpboot directory. The TFTP server can act as a TFTP relay to upload a file 
that is located on another TFTP server. 


The TFTP server is disabled by default. To enable the TFTP server, use the following command in global 
configuration mode. Use the optional parameter address to limit the access to a specific interface. 


CLI (configure)> [no] tftp-server [<root-dir>] [address <interface><unit>] 


root-—dir defines the root directory where are located the files to upload (t ft pboot by default). 


Use the no form of the command to disable the TFTP server. 


The TFTP server is available from a non-default VRF. Use the following command to set the VRF. 


CLI (configure)> tftp-server vrf <vrf-name> 


The TFTP relay is disabled by default. To enable the TFTP relay and define the address of the other 
server, use the following command in global configuration mode. 


CLI (configure)> [no] tftp-relay server { <IP-address> | <hostname> } 


Use the no form of the command to disable the TFTP relay. 


Note that the TFTP server must be enabled to have the TFTP relay working. 


2.13.5 FTP Client 


A standard FTP client is embedded in the OneOS, which enables the downloading and uploading of files 
from a remote FTP server. 
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Command: 


CLI> ftp { <ipv4-address> | <ipv6é-address> | <name> [ipv4|ipv6] } 
[<source-address> | <source-interface> | vrf <vrf-name>] 


Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipvé are meant to 
force name resolution in either IPv4 or IPv6. 


The source address used in the FTP messages can be: 
e Adefined IP address using source-address. 
e The IP address of the referenced interface using source-interface. 


e The IP address of the referenced interface using the global source address configuration command 
(see below) if none of the 2 addresses above is defined. 


e The IP address of the interface used by the FTP protocol if none of the 3 addresses above is defined. 
In all cases the IP address must be known by the device. 
To define a global source address, use the following command in global configuration mode: 


CLI(configure)> [no] ip ftp source-interface <source-interface> <unit> 


Use the no form of the command to remove de global source address. 
Example: 


CLI> £tp 200.13.0.1 
username: admin 
password: 

CLI (ftp session) > 


The following FTP commands are available: 
e bye - quit ftp session 

e cd-change remote directory 

e 1s - list remote directory 

e get - download file 

e icd - change local directory 

e =11s - list local directory 

e ~=put - upload file 


e pwd - current directory 


2.13.6 SFTP Client 


SFTP stands for Secure File Transfer Protocol. SFTP consists of tunneling the FTP protocol within SSH 
that adds an encryption layer to FTP, thus ensuring data confidentiality and integrity. 


As pre-requisite to use SFTP, a DSA private / public key pair must be computed as follows: 
CLI (configure)> crypto key generate dsa { 256 | 512 | 1024 | 2048 } 


The generated DSA key pair must be computed once and can be used for both SSH and SFTP. 


A file upload on an SFTP server is executed with the following command: 


CLI> copy <local-filename> sftp://<login>:<password>@<ip-—or-name>/<path> 
[<interface> <unit>] 


ip-or-name is either an IPv4 address or a host name that will be resolved as an |IPv4 address. 
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<interface> <unit> is optional and forces the source IP address of SFTP packets from OneOS to 
match the IP address of the selected interface. If <interface> <unit> is forced, the packets are routed 
through the VRF of the selected interface. 


Similarly, a file download is performed as follows: 


CLI> copy sftp://<login>:<password>@<ip-or-name>/<path> <local-filename> 
[<interface> <unit>] 
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2.14 SSH —- SECURE SHELL 


2.14.1 Features 
2.14.1.1 Secure Encrypted Communications 


Secure shell or SSH is both a computer program and an associated network protocol designed for logging 
into and executing commands on a networked computer. SSH design was aimed at replacing the earlier 
rlogin, telnet and rsh protocols by a secure protocol providing encrypted communications between two 
hosts over an insecure network. 


OneOS SSH server is compatible with the version 2. 
2.14.1.2 Strong Security 


The SSH daemon supports 3DES and AES as encryption algorithms. 


While 3DES is a proven and well-understood ciphering algorithm, AES is a higher performance block 
ciphering algorithm created by the US Federal Information Processing Standard (FIPS), and developed as 
a replacement for DES. 


2.14.1.3 Strong Authentication 


Strong authentication using public keys protects against several security problems, such as IP spoofing, 
fakes routes, and DNS spoofing. Authentication of the SSH peers is realized via public DSA keys. DSA 
keys were introduced in SSH version 2. But the user authentication at login time is done like any telnet 
session: based on the local password database, or through RADIUS or TACACS+ servers. 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 
2.14.1.4 Remote "exec telnet" commands and local port forwarding 


The SSH server supports remote "exec telnet" commands in compliance with RFC 4254. This means that 
an SSH client opens an SSH session to the OneOS-based router that relays the data in the SSH session 
to another device via a local telnet session between the OneOS-based router and the other device. This is 
typically used to manage via a secure SSH connection over the Internet a device behind the access router, 
e.g. an IP telephone. As the IP telephone has a private LAN address, it is not directly reachable over the 
Internet (except when specifically configured in NAT). SSH remote command is a very useful tool to 
manage such devices over the network without needing to change the access router configuration. 


The SSH server supports local port forwarding in compliance with RFC 4254. The OneOS-based router 
accepts multiple applications running on different channels inside a single SSH tunnel. The router gets via 
the channel message where to forward the session traffic (IP address and port number). Multiple channels 
are supported per session. 


2.14.2 Configuration 
2.14.2.1_ Generating the Authentication Keys 


As SSH daemon requires a public key to authenticate versus remote host, it is mandatory to generate a 
public key pair. Use the following command in global configuration mode to create a Digital Signature 
Algorithm key (the last argument is the key length in bits): 


CLI (configure)> crypto key generate dsa { 256 | 512 | 1024 | 2048 } 


Note that to make the generated DSA key being taken into account, the SSH daemon has to be 
Stopped (disable) then restarted (enable) as described below. 
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To remove the generated DSA key, use the following command: 


CLI (configure)> crypto key zeroize 
2.14.2.2 Starting the SSH daemon 


SSH is disabled by default. To start the SSH daemon, use the following command in configuration mode: 


CLI (configure)> ip ssh enable 
2.14.2.3. Stopping the SSH daemon 


To stop the SSH daemon, use the following command in configuration mode: 


CLI (configure)> ip ssh disable 
2.14.2.4 Configuring the SSH Server Timeout 


If a connected SSH client is inactive during a certain time, it is disconnected. By default, any inactive SSH 
client is disconnected after 600 seconds (10 minutes). 
To change the SSH timeout in seconds, use the following command: 


CLI (configure)> ip ssh timeout <120-4294967295> 
2.14.2.5 Configuring the SSH Server Authentication Timeout 


If an SSH client is in the authentication phase and it is inactive during a certain time it is disconnected. By 
default, any inactive SSH client doing an authentication is disconnected after 120 seconds (2 minutes). 


To change the SSH authentication timeout in seconds, use the following command in configuration mode: 


CLI (configure)> ip ssh auth-timeout <5-120> 
2.14.2.6 Configuring the SSH Server Authentication Retries 


By default, the authentication retries number is 3. To change this value, use the following command in 
global configuration mode: 


CLI (configure)> ip ssh auth-retries <retries> 
2.14.2.7 Attaching the SSH Server to an Interface 


To attach the SSH server to a specific interface use the following command: 


CLI(configure)> [no] bind ssh <interface> 


To permit SSH access from any interface, which is the default configuration, use the following command in 
global configuration mode: 


CLI (configure)> [no] bind ssh any 
2.14.2.8 Restricting SSH Access to a Pool of Hosts 
It is possible to restrict access to SSH clients by using a list of addresses standing for the list of permitted 
source IP addresses. Use the following command in configuration line: 
CLI(configure)> [no] bind ssh acl <acl-name> 


2.14.2.9 Using a designated VRF 


Use the following command to use a designated VRF different from the default VRF: 


CLI(configure)> [no] bind ssh vrf <vrf-name> 
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2.14.2.10 Configuring the maximum number of sessions 


By default, the maximum number of SSH sessions is not limited (in fact the only limit is the memory space) 
while the maximum number of channels per session is 5 and the maximum number of local port forwarding 
sessions is 5. 


To set the maximum number of SSH sessions (including local port forwarding sessions), use the following 
command in global configuration mode: 


CLI (configure)> ip ssh max-sessions <1-5> 


To set the maximum number of channels per session, use the following command in global configuration 
mode: 


CLI (configure)> ip ssh max-session-channels <1-10> 
2.14.3 Statistics 


Use the following show command to display the list of current SSH sessions and related parameters: 


CLI> show ssh 
Connection Remote port Username Algorithm used 
192.168.2.133 2345 admin dsa-3des 


Use the following show command to display the SSH server state and related parameters: 


CLI> show ip ssh 

SSH Enabled 

Authentication timeout 120 secs, retries 3 
Session timeout 600 secs 

Maximum number of sessions 5 

Maximum number of channels per session 10 
Authorized public keys: none 


Use the following debug command to enable [disable] SSH debug: 
CLI> [no] debug ip ssh 


2.14.4 Configuration example 


The following example show the process to create a host DSA public key, followed by the running of SSH 
daemon. 


configure terminal 

crypto key generate dsa 512 
ip ssh enable 

ip ssh timeout 600 

ip ssh auth-timeout 30 

ip ssh auth-retries 2 


2.14.5 Remote SSH illustration 


The following shows how to connect from a UNIX machine to the device with (local) address 192.168.1.4 
behind a router with address 170.20.52.58. 


SSH 
client 


OneOS-based Terminal 






























SSH Telnet 





At the SSH client console (UNIX machine): 
#ssh admin@170.20.52.58 -t telnet 192.168.1.4 
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admin@170.20.52.58's password: <- SSH authentication 
Trying 192.168.1.4 ... Open 
Password: ***x*x*x** <- telnet authentication 


<Device identification> 
SIP Phone> <- telnet prompt 
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2.15 CAPTURING PACKETS 


The capture feature enables the user to observe and to decode incoming and outgoing traffic on logical 
devices (a logical device is a list of filters — up to 8 — applied on one interface). 


The process is first to define filters to determine the protocols to decode, then to attach the filters to an 
interface giving a logical device, and lastly, to start the decoding. 


To define the filters and the devices, enter in capture mode: 
CLI> capture 
CLI (capture) > 
To define a filter, use one of the following commands: 
CLI (capture)> [no] filter { all | arp | rarp } [caplen <bytes>] 


CLI (capture)> [no] filter icmp [sre <src-address>] [dst <dest-address>] 
[type <icmp-type>] [reflexive] [caplen <bytes>] 


CLI (capture)> [no] filter ip [sre <src-address>] [dst <dest-—address>] 
[reflexive] [caplen <bytes>] 








CLI (capture)> [no] filter { tcp | udp } 

[sre <src-address> [sport <src-port>]] 
[dst <dest-address> [dport <dest-port>]] 
[reflexive] [caplen <bytes>] 


To limit performance impact of capture, the captured packets are truncated to the caplen value and 
displayed and stored that way in the capture file (caplen range is from 32 to 2048 bytes; default value is 
68 bytes). 


When reflexive is set then capture is done in both directions. 
The capture tool makes it possible to capture the 802.11 frames: 


CLI (capture)> [no] filter dot11l [<macaddrl> [<macaddr2>]] 
[data | control | Management ] 
[caplen <bytes>] 


CLI (capture)> [no] filter dot1l exclude <type> <sub-type> 
The exclude option is an optional parameter and could be set to exclude some frames regarding to their 
type and sub-type (0 8: beacon frame, 0 4: probe request, 0 5: probe response). 


The filter matches all the options (macaddr1, macaddr2, and frame type) that are presents. If the frame 
type (data, control, or management) is not present, all frames are captured. 


Example: 


CLI (capture)> filter dot11 11:22:33:44:55:66 data 
CLI (capture)> filter dot11 exclude 0 8 





When a filter is created, it is identified by a number. To show the list of £ilter—id, use the command: 


CLI (capture)> show filters 


To define a logical device by attaching the previously defined filter(s) to an interface: 


CLI (capture)> [no] attach <filter-list> <interface-type> <port> 


The filter list can be either one filter number or several filter numbers separated by space characters. 
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Example 1: the following defines two devices (each with one filter) that can be monitored separately: 
attach 1 fastethernet 0/0 
attach 2 fastethernet 0/0 

Example 2: the following defines one device (with two filters) that will monitor the two filters together. 
attach 1 2 fastethernet 0/0 


The logical device is identified by a number. To show the list of device-id, use the command: 


CLI (capture)> show devices 


To start and optionally display the traffic capture, use in global mode the command: 

CLI (capture)> exit 

CLI> monitor capture <device-id> [console | file <fname>] [verbose <0-3>] 
By default, the captured packets are displayed on console. Use the ESC key to stop the monitoring. 


The file output is in pcap format, compatible with TCPDump and other protocol analysis tool such as 
Ethereal. 





The verbosity of the capture decoder can be: 


0 (normal): 

02:15:14.378757 92.168.1.1 > 192.168.1.10 icmp: echo request 
1 (detailed): 
02:15:37.259654 92.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21740, len 60) 
2 (hexadecimal normal): 

02:15:56.102409 92.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21751, len 60) 


0x0000 45 00 00 3c 54 £7 O00 00 80 01 62 6e€ cO a8 O1 O1 Base ek 6 DNs as 
0x0010 cO a8 O01 0a 08 00 3d 5c 03 00 Od 00 61 62 63 64  —— ...... =\....abe 
0x0020 65 66 67 68 69 6a 6b 6c 6d 6be 6f 70 71 72 73 74 efghijklmnopgrst 
0x0030 75 76 77 61 uvwa 


3 (hexadecimal detailed): 
02:16:19.261415 92.168.1.1 > 192.168.1.10 icmp: echo request (ttl 128, id 21757, len 60) 





0x0000 45 00 00 3c 54 fd 00 00 80 01 62 68 cO a8 O01 O1 Bh cK Ts concurs bhig wt 
0x0010 cO a8 01 0a 08 00 39 5c 03 00 1100 6162 63 64 ...... 9\....abed 
0x0020 65 66 67 68 69 6a 6b 6c 6d 6Ge 6f 70 7172 73 74 efghijklmnopqrst 
0x0030 75 76 77 61 uvwa 
Example: 
capture 
filter arp 
filter all 


show filters 
1. arp [caplen=68] 
Qe ale, [caplen=68] 


attach 1 fastethernet 0/1 
attach 2 fastethernet 0/1 
show devices 


1. arp on FastEthernet 0/1 [caplen=68] 
2. all on FastEthernet 0/1 [caplen=68] 


exit 


monitor capture 2 console verbose 1 
13:15:03.239326 200.13.0.1.1135 > 200.13.0.10.23 . [tcp sum ok] ack 8912395 win 7597 (DF) 
(ttl 128, id 47965, len 40) 


<ESC> 
CLI> 
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2.16 


INTERCEPTING PACKETS 


The interceptor feature is meant to provide a simple way to test an IP link that terminates on an interface of 
the OneOS-based router. 


The interceptor feature enables the user to activate a TCP or UDP packet interceptor on a specified IP 
interface or sub-interface and on a specified TCP or UDP port. The intercepted packet can be either 
"absorbed" or "reflected". When absorbed the packet is discarded (not routed anywhere) but taken into 
account in IP statistics (that can be retrieved by several means including SNMP). When reflected the 
packet is sent back to the sender as a "regular" packet (received source address and port become new 
destination address and port; conversely received destination address and port become new source 
address and port). Configured IP services (routing, QoS...) apply as usual to the packet. 


To start an interceptor session, use the following command in global configuration mode: 


CLI (configure)> ip pkt-interceptor <if-type> <number/sub-if>[.index] 
{ tcp | udp } <port> { absorb | reflect } [<acl-name>] 


TCP/UDP port number must be between 1024 and 65535. The optional access-list acl-name must 
already exist if used. 


The above command can be entered only one time. To modify the interceptor session, first delete the 
actual session using the command below then start a new session. 


CLI (configure)> no ip pkt-—interceptor 


Use the following command in global mode to display the interceptor statistics: 


CLI> show ip pkt-interceptor statistics 
Listening on interface : FastEthernet 0/0 
Interface address is : 192.168.1.10 

Protocol : udp 

Port : 1999 

Mode : reflect 


Filter : 
Nb packet filtered : 0 
Task Id : 0x80e204d0 


Nb bytes in : 80 
Nb bytes out : 80 
No client connected 


The above statistics result of the following example: 
ip pkt-interceptor fastethernet 0/0 udp 1999 reflect 
Five UDP packets with 16 bytes of data each have been sent to IP/port address 192.168.1.10:1999 of 


FastEthernet 0/0 interface. 


Use the following command in global mode to debug the interceptor session: 


CLI> debug ip pkt-interceptor 
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2.17 SYSTEM INDICATORS 


2.17.1 Checking CPU load 


Use the following command to check the current system load. Current means "during the last second". The 


non critical tasks are the non real time tasks like SNMP, Web server, etc. 


CLI> show system status 


System Informations for device One100 S/N F0601000008 


Software version : ONEOS4-VOIP_SIP-V4.2R4E2_V26A 
Software created on : 06/11/08 17:03:08 

Boot version : BOOT4-SEC-V3.6R2E16 

Boot created on : 01/07/08 11:13:13 


Current system time : 04/12/08 14:50:48 


System started : 04/12/08 14:50:00 

Start caused by : Power Off (Dying Gasp) 

Sys Up time : Od Oh Om 48s 

System clock ticks : 2431 

Current CPU load 2 3.8% 

Current Critical Tasks CPU load 2 2.8% 
Current Non Critical Tasks CPU load 1.0% 


Use the following command to display the system load history. The CPU load is given for the last minute, 
the last hour and the last three days. For the last hour and the last three days, the maximum and average 


values are given. 


CLI> show processes cpu history 


System Informations for device One100 S/N F0601000008 
HHHHHHHHHHHHEH GLOBAL CPU LOAD (last 60 Seconds) #########HHHHRHH 


1 25 12 164 1 
444434443354335444444344633363333384424122204120000000000030 
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90 

80 

70 

60 * 

50 * * 

40 * K* 
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20 K* * K* 

10 * * KKKK ORK KKK * 


CPU% per second (last 60 seconds) 
kkkKKKKKKKKKKK CRITICAL CPU LOAD (last 60 Seconds) ******kkkKKKKK 


25k 164 1 
222222222222223222222222522242222070124011204120000000000030 
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20 K* * K* 
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CPU% per second (last 60 seconds) 


xkkKKKKKKKKKKK NON CRITICAL CPU LOAD (last 60 Seconds) ******xxxx 


111111111121112111111111111111111314200000000000000000000000 
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CPU% per second (last 60 seconds) 


HHHHHHHHRTHEHH GLOBAL CPU LOAD (last 60 Minutes) #######HTHHEERHE 


000000000000000000000000000000000000000000000000000000000000 
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CPUS per minute (last 60 minutes) 
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wkkKKRA KKK CRITICAL CPU LOAD (last 60 Minutes) *#***kkkREKKEE 
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akkKKKKKKKKKKK NON CRITICAL CPU LOAD (last 60 Minutes) ******xxxx 


000000000000000000000000000000000000000000000000000000000000 
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CPU% per minute (last 60 minutes) 
* = maximum CPUS # = average CPUS 
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HHRHHHHHHHHHEHEHEH GLOBAL CPU LOAD (last 72 Hours) ########HHHHRHERE RE 


000000000000000000000000000000000000000000000000000000000000000000000000 
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CPUS per hour (last 72 hours) 
* = maximum CPUS # = average CPUS 


kkkKKKKKKKKKKKKKKKEK CRITICAL CPU LOAD (last 72 Hours) ***##kkKKKKKKKKKKKEK 


000000000000000000000000000000000000000000000000000000000000000000000000 
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30 
20 
10 


CPU% per hour (last 72 hours) 
* = maximum CPUS # = average CPUS 


kkKKKKKKKKKKKKKKEEK NON CRITICAL CPU LOAD (72 Hours) *#*#kkKKKKKKKKK EERE 


000000000000000000000000000000000000000000000000000000000000000000000000 


100 
90 
80 
70 
60 
50 
40 
30 
20 
10 


CPU% per hour (last 72 hours) 
* = maximum CPU% # = average CPUS 


2.17.2 Checking Memory & Flash spaces 


The system memory can be viewed with the following command: 


CLI> show memory 














Memory status report Kbytes 
Ram size 65 536 
:..Program 27 186 
:..code 18 476 
:..data 8 709 
-Static buffers 192 
.Dynamic total 34 974 

y used 13 909 39.7% 

: free 21 065 60.2% 
:..System total 19 806 

: used 5 610 28.3% 
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: free 14 196 71.6% 
:..Data total 15 167 

used 8 299 54.7% 

3 free 6 868 45.2% 
:..Ram disk total 1 011 

used 5 0.5% 

free 1 006 99.6% 
Flash size 2 048 
:..Boot 1 024 
:..Static areas 48 
Extended Flash size 32 768 
:..Flash disk total 32 306 

used 9 408 29.1% 

free 22 898 70.8% 


2.17.3 Checking Reboot Causes 


To check the reasons why the router did reboot, some reboot commands are available. The following 
command provides the last reboot cause (warning: under certain circumstances, the reboot cause may not 
be determined): 


CLI> show reboot cause 


To check the reboot counters per cause: 


CLI> show reboot counters 
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2.18 STATISTICS 


OneOS provides two types of statistics: interfaces statistics and global statistics. 
2.18.1 Interfaces Statistics 


Interfaces statistics are displayed on request using the following command in global mode: 





CLI> show interfaces [<if-type> [<if-number>[/<sub-if>[.<index>]]]] 


Refer to the various chapters describing the interfaces for more information about the displayed items. 


Among these items some are mean values that are by default calculated over the last 4 seconds. To 
change the period of time over which statistics are calculated, use the following command in global 
configuration mode: 


CLI (configure) > load-interval mean-rate <4-4294967295 seconds> 


To revert to the default value (4 seconds), use the following command in global configuration mode: 


CLI (configure> load-interval mean-rate default 


2.18.2 Global Statistics 


An embedded tool is provided to display global statistics (in "real time") with a refresh period of one 
second. The CLI command is: 


CLI> monitor global-statistics 


This command opens a first summary screen. The navigation between the screens is done by typing keys 
shown at the bottom of each screen, i.e.: 


<Q>: to quit 

<R>: to go to the IP routing screen 

<W>: to access the PVC screens 

<ESC>: to quit or to go back to the previous screen 

<1 - 2>: to access detailed screen for PVC number 1 or 2 


Several screens are defined: 


e Summary screen: The top screen displays information about CPU load, memory availability, and 
status of ATM and Ethernet ports. 


e — IP route screen: It shows the IP routing table. 


e WAN information screen: It shows the ATM traffic on the G.SHDSL and also a summary of the 
declared PVC. 


e PVC detailed screen: It shows details for each declared PVC. 


2.18.2.1_ Summary Screen 


01/02/2000 07:25:50 Uptime: 0 days 07:25:47 one60_13 CPU 3% 

System memory: 8301kB total 3425kB( 41%) allocated 4876kB( 58%) free 
Reserved memory: 7999kB total 4664kB( 58%) allocated 3335kB( 41%) free 
FastEthernet0 

up IP not configured 

OkB/s in OkB/s out 2pkt/s in 2pkt/s out 

Atm0 

up configured G.SHDSL up CONN Data Rate: 2304kb/s 

4cells/s in 4cells/s 

IP forwarding enabled 7 total routes 3 static routes 
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[ESC], [0]-Quit [R]-IP routing table [W]-WAN information 


2.18.2.2. IP Routes 


01/02/2000 07:26:02 Uptime: 0 days 07:25:58 one60_13 CPU 6% 
Proto Destination Mask Gateway Interface 

C 0.0.0.1 255.255.255.255 Null0d 

20.14.1.3 LoopbackO 

20.14.1.4 Atm0.2 

127.0.0.1 Loopback0O 

200.13.0.0 255.255.255.0 FastEthernet0 

200.13.0.0 255.255.0.0 FastEthernet0 

200.19.0.0 255.255.0.0 Atm0.2 

[ESC]-Back [Q]-Quit 


aqaaqagagaa 


2.18.2.3 WAN Detailed Screen 


01/02/2000 07:26:15 Uptime: 0 days 07:26:12 one60_13 CPU 6% 
Atm0 
up configured 
Traffic(cells/s): now: 4 in 4 out 
1l-min: 14 in 7 out 
Total cells: 363277 in 196322 out 0 discarded 0 HEC errors 
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K) 
MIB status:noDefect 
Noise mrg: 38,4 dB Tx power: 8,5 dB Rx gain: 5,2 dB 
IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out 
kbps kbps cells kbps kbps 
1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 0 
{1 - 1] - Pvc [ESC]-Back [Q]-Quit 


2.18.2.4 PVC Screen 


01/02/2000 07:26:17 Uptime: 0 days 07:26:13 one60_13 CPU 3% 
Atm0 

up configured 

Traffic(cells/s): now: 4 in 4 out 

1l-min: 14 in 7 out 

Total cells: 363281 in 196326 out 0 discarded 0 HEC errors 
G.SHDSL up CONN Data Rate: 2304kb/s adaptive (192-2304 K) 
MIB status:noDefect 

Noise mrg: 37,7 dB Tx power: 8,5 dB Rx gain: 5,2 dB 


IF VCI VPI Type Status Encaps QOS PCR SCR MBS in out 
kbps kbps cells kbps kbps 

1. 20201 0 33 pppoa up aal5/mux UBR 2300 0 1 

[1 - 1] - Pvc [ESC]-Back [Q]-Quit 
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2.19 USER MANAGEMENT 


2.19. 


2.19 


An embedded database is provided to declare the users allowed to access the device and to define their 
access rights. 


Each user has a username, a password and belongs to a group. The username is a 15-character long 
string; the password is a 32-character long string. Both contain any character except "?", "!" and "space". 


Note: It is possible to use the above-mentioned characters by placing the character string between 
quotation marks (") or between apostrophes (’) if the quotation mark is part of the string. 


Three groups are pre-defined and map three levels of access rights: 


e User (level 0): only access to elementary show functions or diagnostics functions such as ping 
(configuration in read-only mode) 


e Manager (level 7): access to all show functions, traces and configuration functions 


e Administrator (level 15): access to all functions including shell (for system debugging) 


The user database is managed via CLI commands. 
1 User Creation/Deletion 


To add a user, use the following command in global configuration mode. The privilege level of the user to 
be created is either a predefined group level or a given level between 0 (lowest privilege) and 15 (highest 
privilege). The password can be entered already MD5 encrypted. 


CLI> user add <username> <password> { user | manager | administrator 
| <level: 0..15> } [encrypted] 
Example: 
CLI> user add userl passwordl manager 
CLI> 
To remove a user, use the following command in global configuration mode. 


CLI> user delete <username> 


Example: 


CLI> user delete userl 
CLI> 





.2 Password Management 


A user can change its own password: 


CLI> user password <new-password> 


Example: 


CLI> user password password2 
CLI> 


Or to change the password of a given user: 





CLI> user change-password <username> <new-password> 
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Example: 


CLI> user change-password user2 password2 
CLI> 





2.19.3 Access Right Management 


The group (access rights level) may be changed for a given user: 


CLI> user change-access <username> { user | manager | administrator 
| <level:0..15> } 


Example: 


CLI> user change-access user2 manager 
CLI> 





The access level can be also dropped to a lower access rights level for the current user during the current 
session with the command: 


CLI> user drop { user | manager | administrator | <level:0..15> } 


Example: 


CLI> user drop manager 
CLI> 
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2.20 CONFIGURATION OF COMMAND ACCESSIBILITY PER USER 
PRIVILEGE 


The purpose of this feature is to allow an administrator to customize the list of commands that can be 
accessed by a non-administrator user. By default, three user privilege levels are defined and mapped to 
TACACS+ privilege levels: user (TACACS+ privilege level = 0), manager (7) and administrator (15). Each 
CLI command has its own privilege level. If the user privilege level is greater than or equal to the command 
privilege, the user is allowed to use the command. For example, the "ping" command has by default the 
privilege 0. If this privilege is raised to a higher value, a user having the privilege level "user" (i.e. privilege 
level = 0) cannot access the "ping" command. 


In configuration mode, the privilege level of a global mode command is defined as follows: 

CLI (configure) > privilege exec level <level> <command-string> 
level is an integer, ranging from 0 to 15 representing the new privilege of the command (0 being the 
lowest privilege and 15 being the highest privilege). 


command-string is the keyword that designates a command or the beginning of a command whose 
privilege level is modified. This command applies on commands found outside configure terminal. 


To reset the default privilege level, use the following command: 


CLI (configure)> privilege exec reset <command-string> 


Similarly, the following two commands apply only on commands listed under configure terminal. 
To configure the privilege level of a "configure" mode command: 


CLI (configure)> privilege configure <level> <command-string> 


To reset its level, use the next command: 





CLI (configure)> privilege configure reset <command-string> 


Lastly, there are configuration-commands that are duplicated under several leafs of the CLI tree. That is 
especially the case of interfaces configuration commands. To configure accessibility of specified 
commands under an interface type, use the following command: 


CLI (configure)> privilege { if-adsl | if-atm | if-bri | if-dotllradio 
| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet 

| if-12tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel 
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr 

| sip-gateway | voice-port } <level> <command-string> 


CLI (configure)> privilege { if-adsl | if-atm | if-bri | if-dotllradio 
| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet 

| if-12tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel 
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr 

| sip-gateway | voice-port } reset <command-string> 


Note: if-va stands for interface virtual-access and if-vt for interface virtual-template. 


Example: to allow a user of level 0 to change the IP address of the Fast Ethernet ports. 


privilege exec level 0 configure terminal 
privilege configure level 0 interface fastethernet 
privilege if-fastethernet level 0 ip address 
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To view the current privilege level of the logged user, use the following command in global mode: 


CLI> show privilege 


Example: 





CLI> show privilege 
Current privilege level is: 15 


CLI> 


To view the current and the default privilege level of a given CLI command, use one of the following 
commands in global mode: 


CLI> show privilege command exec <command-string> 
CLI> show privilege command configure <command-string> 


CLI> show privilege command { if-adsl | if-atm | if-bri | if-dot1lradio 
| if-efm | if-ethernet | if-fastethernet | if-gigabitethernet 

| if-12tunnel | if-loopback | if-pri | if-pstn | if-serial | if-tunnel 
| if-va | if-vt | dhcp | router-bgp | router-ospf | router-rip | rtr 

| sip-gateway | voice-port } <command-string> 


Example: 


CLI> show privilege command exec configure 
level (current / default): command node 
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2.21 BANNER 


A banner is a text that is displayed when a user: 


e Attempts to login: a text (the message of the day) is displayed before the prompt for login and 
password is shown. 


e Has successfully logged in: another text information can be displayed 
The configuration syntax is the following, beginning in global configuration mode: 
CLI (configure)> banner { motd | exec } *<string>* 
motd is for the text displayed when attempting to log in, whereas exec is for the text displayed when 
logged in. 


The string is delimited by stars and contains any character and can be up to 230 characters long. 
Carriage return must be entered as \r\n. 


For an example, see below. 


As of V4.3R2E2 software release, for longer banner (up to 9200 characters — 40 lines of 230-char long), 
use the following command in global configuration mode: 


CLI (configure)> banner { motd | exec } sequence <1-40> *<string>* 


For example, the following command lines: 


banner exec sequence 1 *######HHFHHHEEHHEEHT HEHEHE HEHE HH\T\n\r\n* 
banner exec sequence 2 * OneOs-—based Router \r\n\r\n* 
banner exec sequence 3 *####HHHHFHEHHHEHEHE TEETH HH HE HE * 


Will output: 
HHHHHERRHHEH RS HERE RE RRR E EEE HH 


OneOS-based Router 
HHFHFHHHHEHE ERE ERSHRHREHE HEE SH 


Note: because this banner is less than 230 characters long, it can also be configured as follows: 


CLI (configure) > banner exec HEP HRRR EE TH HERR aH THEE ES BH HH REA \D\r\n 
OneOs-based Router \c\n\c\ nde ee te ba ee oe BR RE aH HER EE EE * 


To remove the banner (or banner line) use the no form of the command: 


CLI (configure)> no banner { motd | exec } [sequence <1-40>] 
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2.22 AAA (AUTHENTICATION, AUTHORIZATION AND ACCOUNTING) 


Instead of maintaining usernames and passwords inside the device, usernames and passwords can be 
centrally managed in a database. Whenever a user needs to log in, the database server is queried and 
authenticates users’ logins. Either the RADIUS or the TACACS+ protocol can be used to securely send 
login/password in access requests and returns authentication. 


A user can access to the device configuration interface in three steps: 


1. Authentication: the user login/password is checked in the RADIUS/TACACS+ database. The login and 
password are provided at the beginning of the telnet/console CLI session. If an access is granted, the user 
gets a user privilege (if configured on the server). The privilege can be increased by using the "enable" 
command. Entering this command will make the router query the AAA server again. 


2. Authorization: when a command is entered, the CLI looks up the command privilege. If the configuration 
is such that this privilege requires authorization the command is submitted to the AAA server for 
authorization. The AAA server returns an access authorization or deny. 


3. Accounting: authenticated users and entered commands can be logged on the AAA server using the 
accounting feature of OneOS. 


Three levels of access rights have been defined: 


e User: only access to elementary show functions or diagnostics functions as ping (configuration in 
read-only mode). User has the privilege level 0. 


e Manager: access to all show functions and configuration functions. Manager has the privilege level 7. 


e Administrator: access to all functions including debug. Administrator has the privilege level 15. 


AAA configuration can be divided in two steps: 


1) Configure the list of RADIUS or TACACS+ servers (Refer to 2.22.1 and 2.22.2 respectively). If you 
configure one or more servers of the same type, you may not have to configure any "AAA" commands: by 
default, the device is then configured to authenticate and authorize any login from the console or telnet 
access via the configured TACACS+ or RADIUS server(s). 


2) If you need to make more advanced AAA functions, then configure AAA. (See 2.22.3) 


2.22.1 RADIUS 


RADIUS (Remote Access Dial-ln User Service) protocol allows transmitting securely user 
names/passwords and authenticating the user by means of a RADIUS server, which maintains a users list 
with their access rights. 


The embedded RADIUS client is configured with CLI commands. 


2.22.1.1_ RADIUS Client Configuration 


Prior to configuring the RADIUS client, enter the global configuration mode: 


CLI> configure terminal 


Then, to define the server the client will use, use the following command in global configuration mode: 
CLI (configure)> radius-server { <ipv4—-address> | < ipv6é-address> 
| <host-name> [ipv4 | ipv6] } 
<shared-key> [clear-text | encrypted] 
[<interface> <unit>] [<auth-UDP-port>] 
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[retransmit <1-100> [timeout <1-600>]] 
Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipvé are meant to 
force name resolution in either IPv4 or IPv6. 


<interface> <unit> parameters provide the source address. auth-UDP-port is the port number 
used for authentication (default is 1812). retransmit (default is 3 times) and timeout (default is 3 
seconds) are used for the supervision of the transactions. 


Example: 


radius-server 120.1.4.5 key23 clear-text 1813 


The following command enables to view the settings to connect to the RADIUS server: 


CLI> show radius-server 
List of Radius server ----- 


IP address Port number Secret Key Interface 
120.1.4.5 1813 342c83£0db93a2d1bbb3 


To disable the RADIUS client, use the no form of the command: 


CLI (configure)> no radius-server { <address> | <host> } [<auth-port>] 


Example: 


no radius-server 120.1.4.5 1813 


2.22.1.2 RADIUS Server Configuration 
The RADIUS server must be configured to define users and access rights (user, manager, and 
administrator). 
The example given below shows the configuration files for the FreeRadius server (www.freeradius.org): 
In the file: /usr/local/etc/raddb/dictionary, add the line: SINCLUDE dictionary.oneaccess. 
In the directory /usr/local/etc/raddb/ 


Create the file dict ionary.oneaccess, which contains the access right definition: 


VENDOR OneAccess 13191 

ATTRIBUTE OA-User-Level 1 integer OneAccess 
VALUE OA-User-Level user 0 

VALUE OA-User-Level manager 7 

VALUE OA-User-Level administrator 15 


The levels must be respected to properly work with the client. 


In the file /usr/local/etc/raddb/users, add the users as follows: 


"user" Auth-Type := Local, Cleartext-Password := "user" 
OA-User-Level=user 

"manager" Auth-Type := Local, Cleartext-Password := "manager" 
OA-User-Level=manager 

"admin" Auth-Type := Local, Cleartext-Password := "admin" 


OA-User-Level=administrator 


Then, configure the passwords required by the enable command. For example, for the administrator level: 


Senab15$ Auth-Type := Local, User-Pasword == "password" 
OA-User-Level=administrator 


In the file /usr/local/etc/raddb/clients.conf, add the following lines in order to identify the client 
(e.g. an OneOS-based router with 192.168.2.60 as IP address) and the shared secret key: 
client 192.168.2.60 { 


secret = key23 
shortname = OA-radius 
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2.22.2 TACACS+ 


TACACS+ (Terminal Access Controller Access Control System +) is an authentication protocol based on 
TCP, which allows a network access server to offload the user administration to a central server, which 
maintains a users list with their access rights as for a Radius server. When a user logs in the device (using 
telnet), the login/password couple is sent to that server using the TACACS+ protocol. If the user name and 
password are found in the TACACS+ server database, the access is granted to that user. In addition to 
that authentication service, the TACACS+ server can respond with additional parameters, including access 
rights. 


Three levels of access rights have been defined: 


e User: only access to elementary show functions or diagnostics functions as ping (configuration in 
read-only mode). 


e Manager: access to all show functions and configuration functions. 
e Administrator: access to all functions including debug. 


TACACS+ is not compatible with other protocols of the TACACS family such as TACACS or XTACACS. 
The embedded TACACS+ client is configured by means of CLI commands. 


2.22.2.1_ TACACS+ Client Configuration 


To configure the TACACS+ client, use the following command in global configuration mode to define the 
server: 


CLI (configure)> tacacs-server { <ipv4-address> | < ipv6é-address> 
| <host-name> [ipv4]ipv6] } [<auth-port>] 
[<key>] [clear-text | encrypted] [timeout <1-600>] 
[<interface> <unit>] 


Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipvé are meant to 
force name resolution in either IPv4 or IPv6. 


auth-port is the port used by TACACS+ (default 49). key is the shared key that can be entered in 
clear-text or already encrypted. The timeout parameter is the time in seconds to wait for the server 
to reply (default 3s). interface and unit define the source address used. 


Example: 


CLI (configure)> tacacs-server 1.2.3.4 477 iopme 
CLI (configure)> tacacs-server 1.2.3.5 iopmeu 
CLI (configure) > 


The following command enables to view the settings to connect to the TACACS+ server: 


CLI> show tacacs-server 
ciate) List of TACACS+ server ----- 


IP address Port number Secret Key Source address 
1.2.3.4 477 3c3271£791ddb3bc86e684e0 
1625.3.25) 49 493dafb9b8bébbb4e488e282e094 
CLI> 


To remove the server and disable the TACACS+ client, use the no form of the above command: 


CLI (configure)> no tacacs-server <host> [<auth-port>] 


Example: 


CLI (configure)> no tacacs-server 1.2.3.4 477 
CLI (configure)> no tacacs-server 1.2.3. 
CLI (configure)> exit 


CLI> show tacacs-server 
No TACACS+ server declared 
CLI> 


4 
5 
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When the user enters enable or enable 15, an authentication for enable is sent. This message contains 
the username and the desired privilege level. The server should prompt for a password and compare the 
response with the password configured for the user S$enab15$. The username is by default the username 


provided at login. But it could be changed so that username is S$enab15$. To force the use of the 
username: 


CLI (configure)> no tacacs use-username 


Use the following debug command to enable [disable] TACACS+ debug: 
CLI> [no] debug tacacs 


2.22.2.2 TACACS+ Server Configuration 


2.22.2.2.1. With Enable Passwords 


The TACACS+ server must be configured to define users and access rights (user, manager, and 
administrator). 
On the free TAC_PLUS server, the configuration looks so for a user login: 


user = henry { 
login = cleartext mypassword 


} 


Then, you can configure the passwords for level 0 (user), level 7 (manager), level 15 (administrator). 


User = Senab0$ { 
ogin cleartext *******x* 


User = Senab7$ { 
ogin cleartext *******x* 


User = Senab15$ { 
ogin cleartext ******** 





2.22.2.2.2 With Pre-Defined User Privileges 


A major issue with the configuration method presented before is the lack of security and flexibility: the 
enable 15 password is shared among all users. It is more desirable that each user gets a unique 
password and that a privilege level be associated to that user. 


Example 1 with TAC_PLUS: 


user = henry { 
login = cleartext mypassword 
service = exec { 

priv-lvl = 7 

} 

} 


Example 2: 


user = henry { 
login = cleartext mypassword 
member = admingroup 


} 


user = antoine { 
login = cleartext otherpasswd 
member = admingroup 


} 


group = admingroup 
service = exec { 
priv-lvl = 15 

} 

} 
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2.22.3 AAA Configuration 


The default AAA behavior is the following (i.e. when no AAA commands were entered): 
e If no TACACS+ or RADIUS servers are configured, the local password file is used. 


e If TACACS+ or RADIUS servers are configured and if at least one of them is reachable, 
authentication is done with the AAA server(s) when logging in, no command authorization is done. 


e If TACACS+ or RADIUS servers are configured and if none of them is reachable, authentication is 
done using the local password file, no command authorization is possible. 


To configure user authentication with AAA, use the following command in global configuration mode: 


CLI (configure)> [no] aaa authentication login 
{ default | console | network } 
{ radius | tacacs | <group-name> } 


e If default is used, all accesses via console or Telnet/SSH are controlled using the configured AAA 
servers; otherwise only the accesses from the designated means are controlled. 

e If the radius keyword is entered, all the RADIUS servers are used in the order they are configured. 

e = If the tacacs keyword is entered, all the TACACS+ servers are used in the order they are configured. 


e If a group-name is entered, the servers from that AAA server group are used. See configuration 
hereafter. 


To configure the servers for enable authentication (i.e. the servers that are queried when the user enters 
the enable command), use the following command: 


CLI (configure)> [no] aaa authentication enable 
{default | console | network } 
{ radius | tacacs | <group-name>} 


To configure a message that will be displayed when no AAA server is reachable for authentication, use the 
following command in global configuration mode: 


CLI (configure)> [no] aaa authentication banner sequence <1-40> *<string>* 


Refer to 2.21 for more information about the banner format and for an example. 


To configure an AAA server group, first create the server group as follows: 


CLI (configure)> [no] aaa group server { radius | tacacs } <group-—name> 


Then enter the list of servers: 





CLI (config-sg-tacacs)> [no] server { <A.B.C.D> | <XiX:KM12X> 
| <server-hostname> } 
CLI (config-sg-radius)> [no] server { <A.B.C.D> | <Xo kik t eX> 


| <server-hostname> } 


Use the following command to use a designated VRF different from the default VRF: 


CLI (config-sg-tacacs)> [no] ip vrf forwarding <vrf-name> 
CLI (config-sg-radius)> [no] ip vrf forwarding <vrf-name> 


To enable AAA authorization (TACACS+ servers only) for a given privilege level: 
CLI (configure)> [no] aaa authorization command <level> [default] 
tacacs+ [none] 
level parameter represents a command privilege. Once this command is entered, every command 
having the same privilege level must be authorized by the AAA server. 


default parameter is not used. 
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none parameter is used when the AAA server is unreachable to indicate that no authorization must be 
performed in that case (related commands are therefore authorized). When none parameter is not used 
(default value) the related commands are not authorized when the AAA server is unreachable. 


In some cases, one wants to enter straightaway in exec mode (i.e. with the highest privilege level) without 
entering the enable command. The command is the following: 


CLI (configure)> [no] aaa authorization exec 
{ default | console | network } 
if-authenticated 


The last "A" of AAA stands for accounting. TACACS+ permits the accounting of configuration sessions. 
AAA accounting is only supported with TACACS+ servers. To inform TACACS+ server(s) about users 
logging in and out of the router, use the following command in global configuration mode: 


CLI (configure)> aaa accounting exec default start-stop 


{ tacacs+ | group <tacacs-server-group> } 


To disable CLI session accounting, enter the following command: 


CLI (configure)> no aaa accounting exec 


The AAA command accounting feature logs any entered command by a user on a TACACS+ server. The 
AAA command accounting is activated for commands of a given privilege level: 
CLI (configure)> aaa accounting commands <level> default stop-only 
{ tacacs+ | group <tacacs-server-group> } 
To disable command accounting: 
CLI (configure)> no aaa accounting commands <level> 


The AAA system accounting feature logs the system-level events (shutdown, reboot) on a TACACS+ 
server. To inform a TACACS+ server(s), use the following command in global configuration mode: 


CLI (configure)> aaa accounting system default start-stop 
{ tacacs+ | group <tacacs-server-group> } 


To disable system accounting: 


CLI (configure)> no aaa accounting system 


2.22.4 Show and Debug Functions 


Several show routines are available: 


CLI> show aaa 


CLI> show statistics { radius | tacacs } 


Use the following debug command to enable [disable] AAA debug: 


CLI> [no] debug aaa 
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2.23 DATE/TIME SYNCHRONIZATION 


2.23.1 Showing Current Date/Time 


To show the current date, use: 
CLI> date 


To show the current time: 





CLI> time 
2.23.2 Setting Date/Time 


The date is set as follows: 


CLI> date <dd>:<mm>:<year> 


The device time is set as follows: 


CLI> time <hh>:<mn>[:<sec>] 
2.23.3 Setting Time-zone and Summer Time 


Time synchronization protocols such as SNTP provide a clock that is referenced on the international 
reference (GMT). To adapt the GMT time to the local time, it can be necessary to adjust the time zone and 
the seasonal time (summer time). 


They are configured as follows, beginning under configuration terminal: 


CLI (configure)> clock timezone <name> <-23..+23> 


Where <-23. .23> is the hour offset you want to apply on the GMT time. 
The summer time period is set as follows: 


CLI (configure) > clock summer-time recurring <name> 
{ <1-4> | first | last } <day> <month> <time> 
{ <1-4> | first | last } <day> <month> <time> 


e name is an arbitrary string that can ease readability (for example: CET, Paris, GMT ...). The first part 
designates when the summer time starts. The second part is for winter time. Where the arguments 
have the following meaning: 


e 1-4 | first | last: designates the week when the summer/winter time starts 
e day: is the day of the week when the summer/winter time starts (Sunday for example) 
e month: is the month when the summer/winter time starts (March for example) 


e time: is the time when the summer/winter time starts (02:00 for example) 


2.23.4 SNTP Client 
The SNTP protocol (Simple Network Time Protocol) enables to synchronize time via a connection to a 
NTP server. 


The SNTP client is configured with CLI commands either in broadcast mode (to accept NTP packets from 
any NTP broadcast server) or via a specific connection to a known server (to request NTP packets from 
the known NTP server). 
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The command show sntp gives the status of the SNTP client. 
2.23.4.1_ Broadcast Server Mode 


To configure the SNTP client in broadcast mode to accept NTP packets from any NTP broadcast server, 
use the following command (use the VRF option for a non-default VRF): 


CLI (configure)> sntp broadcast client [vrf <vrf-name>] 


Use the show command to display SNTP status: 
CLI> show sntp 
SNTP server Stratum Version Last Receive 


200.19.0.1 10 3 00:00:11 Synced 
Broadcast client mode is enabled 


CLI> 
2.23.4.2_ Mode with Specified Server 


When the broadcast mode is not used, to configure the SNTP client to request NTP packets from a 
specified NTP server, use the following command (use the VRF option for a non-default VRF): 


CLI (configure)> sntp server <ipv4-address> [<source-if> <unit>] 
[vr£ <vrf-name>] 
CLI (configure)> sntp server <ipv6é-address> [<source-if> <unit>] 
Use the following command to configure in seconds the duration between two requests sent to the NTP 
server when synchronized (default 64 seconds): 


CLI (configure)> sntp poll-interval <seconds> 


Use the show command to display SNTP status: 


CLI> show sntp 

SNTP server Stratum Version Last Receive 
200.19.0.1 10 3 00:00:37 Synced 
Broadcast client mode is not enabled 
CLI> 


2.23.4.3. SNTP Client Service Removal 


The SNTP service client SNTP is stopped with the next commands: 


CLI (configure)> no sntp broadcast client 
Or 
CLI (configure)> no sntp server 200.19.0.1 


2.23.5 SNTP Server 


The OneOS SNTP server can be enabled to provide date/time synchronization to LAN devices such as IP 
phones. 


The following command configures the SNTP Server to send packets in broadcast or multicast mode 
where the following parameters can be set: 





e intfname intfindex  - output interface (example:"fastEthernet 0/0"); 


e maddr - destination multicast address (for multicast); if not set, the interface 
broadcast address is used; 


e src-port (default=123) - output packet source port; 

e dst-port (default=123) - output packet destination port; 
e poll (default=64) - sending interval in seconds; 

e ttl (default=64) - output packet "time to live"; 


Use the no form of the command to disable the SNTP server previously configured. 
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CLI(configure)> [no] sntp-server broadcast <intf-name> <intf-index> 
[<multicast-addr>] [srce-port <src-port>] [dst-port <dest-port>] 
[poll <poll>] [ttl <ttl>] 


The following command specifies that the onboard SNTP server shall use the synchronization of the 
embedded SNTP client to send broadcast packets. If the command is enabled and the SNTP client is not 
synchronized, the SNTP Server does not send any broadcast packet and it responds to SNTP request by 
setting the 'stratum' field to '0' and 'Leap Indicator’ to '3' (alarm condition - clock not synchronized). 


The no form of the command disables the ‘client-reference’ mode. 
CLI (configure)> [no] sntp-server client-reference 


The following command configures the SNTP server so that it responds to multicast requests. The 
command parameters are: 





e intfname intfindex  - interface where multicast is active (example: “fastEthernet 0/0”); 
e maddr - listen multicast address; 

e src-port (default=123) - listen port; 

The multicast response mode can be disabled with the no form of the command. 


CLI (configure)> [no] sntp-server multicast <intfname> <intfindex> 
<multicast-addr> [sre-port <src-port>] 


The following command enables the unicast/broadcast mode of the SNTP server such that it responds to 
unicast and broadcast requests. The listen port can be configured as follows: 

e src-port> (default=123) - listen port; 

The unicast response mode can be disabled with the no form of the command. 


CLI (configure)> [no] sntp-server unicast [src-port <src-port>] 


The following command configures the SNTP Server to use the designated VRF: 


CLI (configure)> [no] sntp-server vrf <vrf-—name> 


The debug command can be used for troubleshooting purpose. 


CLI> [no] debug sntp-server 


This command shows the current SNTP server configuration and statistics. 


CLI> show sntp-server 


Configuration Example 


configure terminal 
sntp-server client-reference 
sntp-server unicast 

exit 
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2.24 SYSLOG CLIENT 


The SYSLOG service allows to send events to several SYSLOG servers (maximum: 2). The SYSLOG 
server can store/filter/process incoming messages, so that network administrator can use standard, UNIX- 
based tools. 


This facility is enabled via CLI commands when configuring events, such as for G.SHDSL: 


CLI> event filter add sys gshdsl all syslog 


2.24.1 Adding a SYSLOG Server 


You are able to declare one or more SYSLOG server. The following commands are used: 


CLI> configure terminal 
CLI (configure)> syslog server { <hostname> [ipv4 |ipv6] | <A.B.C.D> 
| <X:X:X::X> ipv6 } <0-23> 


Warning: name resolution is not currently supported in IPv6. The keywords ipv4 and ipvé are meant to 
force name resolution in either IPv4 or IPv6. 


The first parameter is the server address. The second parameter (facility number, ranging from 0 up to 23) 
must be set according to the server configuration. 


Note: many manufacturers (such as Cisco) use 23 as default facility number. 
You are also able to bind the SYSLOG server to a defined interface: 
CLI (configure)> syslog server { <hostname> | <A.B.C.D> } <0-23> 
<interface><unit> 
Example: 


CLI (configure)> syslog server hostnl1 20 atm 0.1 
CLI (configure)> syslog server hostn2 21 atm 0.2 


2.24.2 SYSLOG Server Removal 


To remove a SYSLOG server, use the following command: 


CLI> configure terminal 
CLI (configure)> no syslog server { <host-—name> <A.B.C.D > } <facility- 
number> 





2.24.3 SYSLOG Server List 
A show command may be used to list all the defined SYSLOG servers: 
CLI> show syslog servers 


Server Facility Interface 
Hostnl 20 Atm 0.1 


2.24.4 SYSLOG Server Configuration 


The following information provides some hints for a Linux syslog server configuration: 
The standard UDP port 514 is used by the SYSLOG client to access the server. 


The configuration file "syslog.conf" must contain the name and the path of the text file to log the 
messages according to the used facility: 
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local0.* /var/log/one400_evt 


"localo" corresponds here to the facility number 16 (defined in syslog.h) 


If you edit the file "one400_evt", you are able to see the logged events: 


Jun 18 18:43:30 222.222.222.222 vxTarget event: 18:43:30 18:06:2004 Event ATM 
IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested 
Jun 18 18:45:27 222.222.222.222 vxTarget event: 18:45:27 18:06:2004 Event ATM 
IPOA STATUS_12 1 Ipoa if=0 vpi=0 vci=34 pvc modification requested 
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2.25 PERFORMANCE PROBE (PPA-PM & RTR) 


The performance probe agent (PPA) is embedded software that performs active monitoring of the network 
performance. 


2.25.1 Performance Probe Agent -— Path Measurement (PPA-PM) 
2.25.1.1_ Introduction 


PPA-PM manages probes sending test packets to a specified destination. The test packets must be 
returned by the receiver after inserting additional information in packets. By means of this information, the 
sender is able to calculate interesting quality metrics of the IP path from source to destination, including 
packet loss, round trip delay and jitter. 


PPA-PM requires a sender (emitting test traffic) and responder (looping test traffic back to sender). When 
the responder loops a packet, the responder inserts a timestamp. Let us assume T(i, 74) as the time 
stamp for the i*” packet, at the 3°" step. 


Sender Responder 
T(1,1) 
T(1,2) 
T(1,3) 
T(1,4) 
T(2,1) 
T(2,2) 
T(2,3) 
T(2,4) 


The sender and responder do not have the same time; their clocks are most probably not synchronized on 
the same source (we assume an offset Toff exists between both clocks). Let us assume that the transit 
delay for packet 1 is D. 


Toff + T(1,2) = T(1,1) + D 


The round trip delay (RTD) is: 

RTD = T(N,4) - ( T(N,3) + Toff ) + ( T(N,2) + Toff ) - T(N,1) 
If we assume that the processing delay in responder is negligible, we can simplify the formula with 
T(N, 2) =T (N, 3). The formula is: 

RTD = T(N,4) - T(N,1) 
The jitter on one-way delay is the time difference between the one-way transit delays of two consecutive 
packets. This jitter can be measured from source to destination and vice-versa. 

JitterSD = T(N+1,2) + Toff - T(N+1,1) - (T(N,2) + Toff - T(N,1)) 








JitterSD = T(N+1,2) - T(N+1,1) - (T(N,2) - T(N,1)) 
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Similarly, jitter from destination to source: 


JitterDS = T(N+1,4) - T(N+1,3) - (T(N,4) - T(N,3)) 


Every packet carries a sequence number, so that PPA-PM can identify packet loss ratio. 
PPA-PM is configured to forge test packets in three ways: 


e ICMP Timestamp Request: the sender emits ICMP packets whose type is 13 (Timestamp request). 
The responder must respond with its own timestamp with ICMP packet type 14. This is a standard 
requirement of the ICMP protocol. In other words, the responder can be any router type & make. This 
allows to measure packet loss, round trip delay and one-way jitter. 


e UDP Timestamp: the sender sends UDP packet in an OneAccess proprietary format. The responder 
must listen to the appropriate port and respond with a timestamp included in UDP reply packet. This 
allows to measure packet loss, round trip delay and one-way jitter. 


e UDP Ping: the sender sends UDP packet in an OneAccess proprietary format. The responder must 
listen to the appropriate port and respond with an appropriate UDP reply packet. This allows to 
measure packet loss and round trip delay. 


2.25.1.2 Configuring PPA-PM Responder 


The PPA-PM responder must be configured on responding routers only if UDP ping or UDP timestamp 
probes are needed. 


The next command starts or restarts the PPA-PM Responder on a specified port and binds the Responder 
on an ip address or on an interface if specified (binding means a received packet is accepted if it is 
destined to the specified IP address or if it is received on the requested interface). If the Responder is 
restarted, the statistics are reset. 


CLI (configure)> ppa-pm responder port <port-—number> 
[address <inet-address> | interface <type> <unit>] 
PPA-PM responder is available from a non-default VRF. Use the following command to set the VRF. 


CLI (configure)> ppa-pm responder vrf <vrf-name> 


To disable the PPA-PM responder (default state: disabled), enter the no command: 
CLI (configure)> no ppa-pm responder 
2.25.1.3. Configuring PPA-PM Sender 
A PPA-PM session must be created. A session is an object containing configuration information and 
statistics of a probe. It is identified by a unique ID. To start configuring a PPA-PM session: 
CLI(configure)> [no] ppa-pm session <session-id> 
CLI (ppa-pm-cfg) > 
The probe type must be specified: 
CLI (ppa-pm-cfg)> type { jitter-icmp-timestamp | jitter—-udp-ping-timestamp 
jitter-udp-ping } 
The target address must be defined (If the port parameter is not used the target port is the one specified by 
the ppa-pm default udp port): 


CLI (ppa-pm-cfg)> target address <inet-address> [port <port-—number>] 


The following session parameters are all optional. 


PPA-PM session is available from a non-default VRF. Use the following command to set the VRF. Use the 
no form to return to the default VRF. 


CLI (ppa-pm-cfg)> [no] vrf <vrf-name> 


The source address can be forced: 


CLI (ppa-pm-cfg)> source { address <ip> | interface <type> <unit> } 
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Now we can set an owner parameter for the probe: 
CLI (ppa-pm-cfg)> owner <string> 
We can set a timeout for the operation, the interval between successive executions of the probe, the 


DSCP (TOS) value to be set in the IP packets or the size of the payload. Note that the frequency (in 
seconds) should be greater than the timeout value (which is set in milliseconds) 





CLI (ppa-pm-cfg)> frequency <time-in-s> 

CLI (ppa-pm-cfg)> timeout <time-in-ms> 

CLI (ppa-pm-cfg)> tos <decimal-value> 

CLI (ppa-pm-cfg)> data-request size <data-size-in-bytes> 


The ‘frequency’ is the time interval between two consecutive measurement campaigns. The 'timeout' is the 
time the device shall wait before considering the packet lost. 


Note about the TOS: if the user wants to study network packet loss based on packet precedence, the 
proper TOS value should be selected. It is important to consider that red packets may be re-colored by 
traffic policing. One should activate color-aware packet marking to avoid the precedence field to be 
upgraded. 


The PPA-PM sends several packets during a measurement campaign. The number of packets within one 
test campaign is defined as follows: 


CLI (ppa-pm-cfg)> packet count <number> 


The timeout for packet reply (enabling detection of packet loss) is set as follows: 


CLI (ppa-pm-cfg)> timeout <milliseconds> 


Complete session configuration with the "exit" command: 


CLI (ppa-pm-cfg)> exit 


By default, the destination port must be specified in ppa—pm session, but the default destination port can 
be set (default: 7777): 


CLI (configure)> ppa-pm default udp port <port-—number> 


To schedule a PPA-PM probe (i.e. to program the launch of measurement campaigns), use the command: 


CLI (configure)> ppa-pm schedule <session-id> start { now | <HH:MM:SS> } 
2.25.1.4. Configuration Example 


Example with two routers connected back-to-back by fastEthernet 0/0. 





Responder Side: 


configure terminal 
interface fastEthernet 0/0 
ip address 10.10.10.1 255.255.255.0 
exit 
ppa-pm responder port 35000 


Sender Side 


configure terminal 
interface fastEthernet 0/0 
ip address 10.10.10.2 255.255.255.0 
exit 
ppa-pm session 1 
type jitter-—udp-ping-timestamp 
target address 10.10.10.1 port 35000 
exit 
ppa-pm schedule 1 start now 


2.25.1.5 Statistics 
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To show the status and statistics of the PPA-PM responder: 


CLI> show ppa-pm responder 
PPAPM Responder status for port 7777: running 
received UDP-PING packets: 

received UDP-PING-TIMESTAMP packets: 
sent UDP-PING packets: 

sent UDP-PING-TIMESTAMP packets: 
received invalid packets: 
application specific errors: 
fatal errors: 


oooCoCoCc fo 


PPAPM Responder global statistics 
received UDP-PING packets: 
received UDP-PING-TIMESTAMP packets: 
sent UDP-PING packets: 
sent UDP-PING-TIMESTAMP packets: 
received invalid packets: 
application specific errors: 
fatal errors: 





ooooCoCcofo 


To show the configuration of a PPA-PM session (if session-number is not specified, all sessions are 
shown): 


CLI> show ppa-pm session [<session-number>] configuration 
session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS) 


> session | target | packet | timeout (ms) | data size(B) 
status | source | frequency(sec) | interval(ms)| tos 

> 39 192.168.1.2 :7777 10 (UDP) 1000 32 
active 192.168.1.1 1 20 1 


To show the statistics of a PPA-PM session (if session-number is not specified, all sessions are shown): 


CLI> show ppa-pm session [<session-number>] operational-state 
session/packet type: ICMP TIMESTAMP (ITS), UDP, UDP TIMESTAMP (UTS) 
PPA-PM session: 39 (active) 
owner: ppa-pm-—0 
target: 192.168.1.2:7777 
source: 192.168.1.1 
packet: 10 (UTS) 
frequency: 60sec 
timeout: 5000ms 
interval: 20ms 
data size: 32bytes 
tos: 0 
completion status: ok 
completion time: 2009.08.05 09:13:29 +01:00 UTC 
executions count: 53326 
received packets: 9 
-round-trip times: llavg, 102sum, lmin, 23max 
jitter S->D: 4, 47sum, 16max, 3, -—33sum, -—16max 
jitter D->S: 3, 2sum, lmax, 4, -2sum, -—lmax 
loss distribution: 0(S->D), 0(D->S) 
loss: 1, O00S:0, TMO:0 
used resources: 230bytes, OUDP socket(s), Otask(s) running 


In the example above: 9 packets have been received with an average round-trip delay of 11ms, the 
minimum round-trip delay being 1ms, the maximum being 23ms and the sum of all round-trip delays being 
102ms. 


With regard to jitter values (differences between two consecutive round-trip delay values) in the direction 
from source to destination (S->D), 4 have been positive (increased network latency) with the sum being 
47ms and the maximum being 16ms while 3 have been negative (decreased network latency) with the sum 
being -33ms with the maximum being -16ms. In the direction from destination to source (D->S), 3 jitter 
values have been positive with the sum being 2ms and the maximum being 1ms while 4 have been 
negative with the sum being -2ms and the maximum being -1ms. 


With regard to packet losses between round-trip, they are counted in each direction with distinction 
between arrival out of sequence (OOS) and elapsed time-out (TMO). 


2.25.2 Response Time Reporter (RTR) 


RTR operates by generating and analyzing traffic to provide a set of performance measurements such as 
network delay, packet loss, availability and jitter. The task of measuring a specific metric is called a 
"probe". Currently, the supported probes are ICMP Echo, which performs a classic ping operation on a 
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target, ICMP PathEcho, which performs a series of ping on every hop of the path from the source to the 
target, like in a "traceroute" operation and pathJitter, which calculates round trip delays and a jitter 
measurement of the round trip delay on the path. 





The probes can be scheduled to be executed continuously or for a determined period of time, starting 
immediately or after a specific delay, or even triggered by events such as the failure of another probe. 


The results of each probe can be analyzed by the PPA agent, filtered and eventually stored. Depending on 
the values, the results can trigger events such as the start of another probe or notifications to a network 
management system via SNMP traps. 


The creation and scheduling of probes and retrieval of results can be done via CLI or SNMP. 
2.25.2.1_ Configuration of a Probe via the CLI 


Probes are identified with a number in the 1-2147483647 range. In order to facilitate the management of 
probes, they can have an "owner" string and a “tag" string attached. 


To create the probe, we use the following command, in global configuration mode: 
CLI (configure)> rtr session <session-id> 


CLI (conf-rtr)> 


The CLI enters the rtr configuration mode, where we can configure the operational parameters of the 
probe, such as target address, filtering options and data collection. We can set also a source address to 
use for the probe. Note that we can only use the type command at this point, to define the type of the 
operation and the target address. 


CLI (conf-rtr)> type echo protocol ipIcmpEcho <target-address> [<source- 
address>] 

Example: ICMP echo probe, with the target address 193.168.0.10 
CLI (conf-rtr)> type echo protocol ipIcmpEcho 193.168.0.10 


To create an ICMP EchoPath probe, we use: 


CLI (conf-rtr)> type pathEcho protocol ipIcmpEcho <target-address> 
[<source-address>] 


To create a PathJitter probe, the command is: 


CLI (conf-rtr)> type pathJitter dest-ipaddress <target-—address> 
[source-address <source-address>] 
[number-of-packets <number>] 
[interval <milliseconds>] [targetOnly] 


The number-of-packets parameter (default: 10) designates the number of packets sent at each 
measurement. They are sent every interval ms (default: 20 ms). If the keyword targetOn1ly is used, 
the packets are sent directly to the destination address, without probing the path. 


Now we can set other parameters for the probe: 
CLI (conf-rtr)> owner <string> 


CLI (conf-rtr)> tag <string> 


We can set a timeout for the operation, the interval between successive executions of the probe, the 
DSCP (TOS) value to be set in the IP packets or the size of the payload. Note that the frequency (in 
seconds) should be greater than the timeout value (which is set in milliseconds) 





CLI (conf-rtr)> frequency <time-in-s:0-604800> 

CLI (conf-rtr)> timeout <time-in-ms:0-604800000> 

CLI (conf-rtr)> tos <decimal-value:0-255> 

CLI (conf-rtr)> request-data-size <data-size-in-bytes: 64-16384> 





The frequency is the time interval between two consecutive measurement campaigns. The timeout is 
the time the device shall wait before considering the packet lost. 


Note about the TOS: if the user wants to study network packet loss based on packet precedence, the 
proper TOS value should be selected. It is important to consider that red packets may be re-colored by 
traffic policing. One should activate color-aware packet marking to avoid the precedence field to be 
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upgraded. Refer to "Traffic policing" section in "Quality of Service" chapter of "OneOS — Basic IP User 
Guide" document. 


Another important setting is the threshold value, which can be used for triggering events and filtering the 
results with better granularity. For example, we can set the timeout to 300 ms, and a threshold of 100ms 
will enable us to be notified of a deterioration of the quality of service before this becomes a problem. 


CLI (conf-rtr)> threshold <time-in-ms:0-2147483647> 


RTR is available from a non-default VRF. Use the following command to set the VRF. Use the no form to 
return to the default VRF. 


CLI (conf-rtr)> [no] vrf <vrf-name> 


To delete a probe, use the following command, in global configuration mode: 





CLI (configure)> no rtr session <session-id> 
2.25.2.2_ Probe Scheduling via CLI 


Once the probe was created and all the parameters set, we can schedule the probe for execution using 
the following command: 


CLI (configure)> rtr schedule <entry-number> [ageout <0-2073600>] 
[life <0-2147483647> | forever] 
[start-time { now | pending | hh:mm[:ss] }] 


We can start the probe immediately with the now option, at some specified time (hh:mm:ss) or leave it in 
a pending State (default value), waiting to be triggered via an event. 


We have the possibility to stop the probe after a determined interval with the 1ife option (default 3600 
seconds) or to have a permanent probe with the forever option. 


For temporary probes we can set an ageout value (default O=infinite). After the probe has been stopped, 
and the specified number of seconds has elapsed, the probe will be deleted automatically. 


Example: start the probe immediately, with a lifetime of 5 minutes: 


CLI (configure)> rtr schedule 1 life 300 start-time now 


Note that a scheduled probe cannot be modified. The rtr session command will display a warning 
message if you attempt to reconfigure an active probe. 


We can suppress a session scheduling with the following command: 


CLI (configure)> no rtr schedule <entry-number> 


2.25.2.3 PPA Statistics 


The following command allows us to inspect the status of the probes, as well as the results: 


CLI> show rtr ? 

application - RTR Application 

collection-statistics - RTR Statistic Collections 
configuration - RTR configuration 
distributions-statistics - RTR Statistic Distributions 
history - RTR History 

operational-state - RTR Operational State 
reaction-trigger - RTR Reaction Trigger 


Except for show rtr application, which displays general information on the PPA module, all show 
rtr commands accept an optional parameter for displaying just one entry. 


Example of output for a pathEcho probe: 


CLI> show rtr configuration 999 
Complete Configuration Table (includes defaults) 
Entry Number: 999 

Owner: 

Tag: 

Type of Operation to Perform: pathEcho 
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Reaction and History Threshold (milliseconds): 5000 
Operation Frequency (seconds): 60 

Operation Timeout (milliseconds): 5000 

Verify Data: FALSE 

Status of Entry (SNMP RowStatus): active 

Protocol Type: ipIcmpEcho 

Target Address: 192.168.0.1 

Source Address: 0.0.0.0 

Target Port: 0 

Source Port: 0 

Request Size (Request/Response protocol data portion): 1 
Response Size (Request/Response protocol data portion): 1 
Control Packets: enabled 

Loose Source Routing: disabled 

LSR Path: 

Type of Service Parameters: 0 

Life (seconds): 3600 

Next Scheduled Start Time: Pending Trigger 

Entry Ageout: never 

Connection Loss Reaction Enabled: FALSE 

Timeout Reaction Enabled: FALSE 

Threshold Reaction Type: never 

Threshold Falling (milliseconds): 3000 

Threshold Count: 5 

Threshold Count2: 5 

Reaction Type: never 

Number of Statistic Hours kept: 2 

Number of Statistic Paths kept: 5 

Number of Statistic Hops kept: 16 

Number of Statistic Distribution Buckets kept: 1 
Statistic Distribution Interval (milliseconds): 20 
Number of History Lives kept: 2 

Number of History Buckets kept: 15 

Number of History Samples kept: 16 

History Filter Type: all 





CLI> show rtr operational-state 999 
Current Operational State 

Entry Number: 999 

Modification Time: *10:26:19.000 UTC THU JUN 24 2003 
Diagnostics Text: 

Last Time this Entry was Reset: Never 

Number of Octets in use by this Entry: 19750 
Connection Loss Occurred: FALSE 

Timeout Occurred: TRUE 

Over Thresholds Occurred: FALSE 

Number of Operations Attempted: 60 

Current Seconds Left in Life: 0 

Operational State of Entry: inactive 

Latest Completion Time (milliseconds): 23 

Latest Operation Return Code: Ok 

Latest Operation Start Time: *11:25:21.000 UTC THU JUN 24 2003 
Latest: 192.168.0.1 


2.25.2.4 Advanced Features 


The PPA can be configured to analyze, filter and store the results of the probes, and to react to specific 
conditions, either via CLI or via SNMP. 


Storage of the results is enabled via the history facility, which can be configured to filter the samples 
retained. 


CLI (conf-rtr)> lives-of—-history-kept <nb-of-history-kept:0-2> 
CLI (conf-rtr)> filter-for-history { all] failures| overthresold| none } 


By default, no history is kept (lives-of-history-kept 0 and filter-for-history none). The 
filter "a11" keeps all probe results, the filter "none" none of them, the filter "overThreshold" only probes 
that have the result over the threshold (like the Round-Trip Time (RTT) for an echo operation) and the filter 
"failures" only failed probes (like timed-out or unreachable). 





The maximum number of history (depending on the type of probe) to keep can be limited: 


CLI (conf-rtr)> buckets-of—history-kept <number-of-history-—buckets:1-60> 
CLI (conf-rtr)> samples-of—-history-kept <number-of-history-samples:1-30> 


To display the collected data: 
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CLI> show rtr history 


Point by point History 
Multiple Lines per Entry 


Line 1 
Entry = Entry Number 
Lifel = Life Index 
BucketI = Bucket Index 
SampleI = Sample Index 
SampleT = Sample Start Time 


CompT = Completion Time (milliseconds) 
Sense = Response Return Code 
Line 2 has the Target Address 


Entry Lifel BucketI Samplel SampleT CompT Sense 

999 Ee 57 i. 1088076141 1 1 cO A801 
999 1 58 1 1088076201 Al 1 cO A801 
999 4 59 1 1088076261 1 1 cO A801 
999 L 60 a 1088076321 di 1 cO A801 





Entry is the RTR session identifier; LifeI is the index of the history kept; BucketI is the index of the 
bucket (see below) in the history life; SamplelI is the index of the sample in the bucket; SampleT is the 
time of the sample (as the number of milliseconds since the last system boot up); CompT is the time within 
the operation has bee completed; Sense is the return code of the operation (see next table). 
































Sense return code Description 

1 OK 

2 Disconnected 
3 Over threshold 
4 Timeout 

5 Busy 

6 Not connected 
7 Dropped 
others Error specific 











Another feature is the possibility to store results in separate "buckets", according to the result of the probe. 
The following commands will parse and store results in the categories: 


CLI (conf-rtr)> distributions-of-statistics—-kept <number-of-buckets:1-20> 
CLI (conf-rtr)> statistics—distribution-interval <time-steps-—in-ms:1-100> 








For that example, for the following buckets: 0-4ms, 4-8ms, 8-12 ms, 12-16 ms, >16 ms 


distributions-—of-statistics-kept 5 ! 5 buckets 
statistics-distribution-interval 4 ! 1 bucket=4ms interval 


The maximum number of statistics (depending on the type of probe) to collect can be limited: 


CLI (conf-rtr)> hops-of-statistics—kept <number-of-hops:1-20> 
CLI (conf-rtr)> hours-of-statistics—kept <number-of-hours:0-25> 
CLI (conf-rtr)> paths-of-statistics—kept <number-of-paths:1-128> 


The following command will display the cumulated statistics for each of the defined buckets: 


show rtr distributions-statistics 333 


Captured Statistics 
Multiple Lines per Entry 
Line 1 
Entry = Entry Number 
StartT = Start Time of Entry (hundredths of seconds) 
Pth = Path Index 
Hop Hop in Path Index 
Dst Time Distribution Index 
Comps Operations Completed 
OvrTh Operations Completed Over Thresholds 
SumCmp = Sum of Completion Times (milliseconds) 
Line 2 
SumCmp2L = Sum of Completion Times Squared Low 32 Bits (milliseconds) 
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SumCmp2H = Sum of Completion Times Squared High 32 Bits (milliseconds) 


TMa 
TMi 


Entry 
333 
333) 
333 
333 
333 





x = Completion Time Maximum (milliseconds) 
n = Completion Time Minimum (milliseconds) 


StartT Pth Hop Dst Comps OvrTh SumCmp SumCmp2L SumCmp2H TMax TMin 
1088103929 1 1 0 0 0 0 0 1 1 
1088103929 1 2 3 0 14 0 66 5 4 
1088103929 1 3 a 0 ay. 0 145 9 8 
1088103929 1 4 0 0 0 0 0 id 1 
1088103929 1 5 0 0 0 0 0 1 1 


Entry is the RTR session identifier; StarT is the start time of the interval (as the number of milliseconds 





since the last system boot up); Pth is the path index number (only valid for pathEcho probes otherwise 
1); Hop is the hop index number in the path (only valid for pathEcho probes otherwise 1); Dst is the time 
distribution index within the interval; Comps is the number of operations that have completed successfully; 
OvrTh is the number of operations that have timed out; SumCmp is the sum of completed operation times 
for all successful operations in the row (in milliseconds); SumCmp2L is the low-order 32 bits only of the sum 


of the squa 








re roots of completion times (in milliseconds) for the successfully completed operations; 


SumCmp2H is the high-order 32 bits only of the previous sum; TMax is the highest recorded completion 


time per in 


terval (in milliseconds); TMin is the lowest recorded completion time per interval (in 


milliseconds). 


The PPA can be configured to react to different conditions with specific actions, for each probe. One 
example is starting a pathEcho operation in response to a timeout on an echo operation, in order to 
determine the point of failure. Session 2 is recording only probes that go over the threshold of 40 msec. 
Once the probes start timing out at 100ms, session 1 is started and all data is recorded. 


rtr 





session 1 


type pathEcho protocol ipIcmpEcho 10.0.0.1 


di 
fi 
li 
st 


stributions-—of-statistics-kept 3 
lter-for—-history all 
ves-—of—history-kept 2 
atistics-—distribution-interval 20 


paths-of-statistics-kept 1 


ho 


ps-—of—-statistics-—kept 1 


samples-—of—history-kept 1 


bu 


ckets-of—history-kept 4 


exit 


rtr 
rtr 


schedule 1 start-time pending 
session 2 


type echo protocol ipIcmpEcho 10.0.0.1 


di 


stributions-of-statistics—-kept 3 


threshold 40 
timeout 100 


fi 


lter-for—-history overThreshold 


lives-of—history-kept 2 


st 


atistics-—distribution-interval 20 


paths-of-statistics-kept 1 
hops-of-statistics-kept 1 
samples-—of—history-kept 1 


ex 
rtr 
rtr 
rtr 
rtr 


it 

reaction-configuration 2 action-type triggerOnly 
reaction-configuration 2 timeout-—enable 
reaction-trigger 2 1 

schedule 2 start-time now 


The exact syntax to trigger a session based on events requires the triggered session to be in pending state 
(rtr schedule <session-id> start-time pending). Then the trigger must be enabled for the 
"calling" session, this command: 


CLI ( 


configure)> rtr reaction-configuration <session-id> action-type 
{ triggerOnly 
| trapOnly 
| trapAndTrigger 
| none } 


If the action is triggered by a timeout, use: 
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CLI (configure)> rtr reaction-configuration <session-id> timeout-—enable 


If the action is triggered by a threshold, the command is the following: 


CLI (configure)> rtr reaction-configuration <session-id> threshold-type 
{ average <1-16> 
| consecutive <1-16> 
| immediate 
| never 

| xOFy <x:1-16> <y:1-16> } 


If average is selected, the action is triggered if the threshold is crossed on average of the configured 
number of samples. If consecutive is selected, the action is triggered if the threshold is crossed as 
much consecutive times as configured. If xOFy is selected, the action is triggered if the threshold is 
crossed x times during the last y samples. 


After that the action trigger is set, the session with an attached trigger must be associated with a session 
that is called when the trigger is activated: 


CLI (configure)> rtr reaction-trigger <calling-session> <called-session> 


Then, the calling session must be scheduled to complete the configuration. 
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2.26 HTTP(S) SERVER 


The embedded Web server can use either HTTP or HTTPS or both protocols. However, it is always called 
"HTTP Server" in all cases in the following. 


The HTTP or HTTPS Server relies on the OneOS feature called "Web Configurator Factory" (WCF). WCF 
is a framework allowing a user to load on the router self-designed web pages. A separate document 
explains the WCF features and the web page implementation. 


The present document only deals with HTTP or HTTPS Server activation and configuration. 
2.26.1 Installing a Set of Web Files 


Web files can be installed one-by-one in flash file system. To make an update easier, one can upload a 
TAR file in flash and untar it. The TAR file should contain all htmi files, js, gif ... The untar operation 
overwrites existing files if already present in flash. However, before decompressing the files, the untar 
function can remove all files of a directory and its sub-directories. 


First download the Tar file. For example, with TFTP: 
CLI> copy tftp://myserver/webconfigurator.3.7r10.e3.tar web.tar 


Then, the command to clean/untar files is: 


CLI> untar <source> <dest-directory> [clean-up [all-sub-dir] ] 


For example: 


CLI> untar web.tar /webroot clean-up all-sub-dir 


2.26.2 Configuring HTTP Server 


The HTTP protocol and the HTTPS protocol are both available by default. To select HTTP only, or HTTPS 
only or both protocols, use the next command under configuration terminal: 


CLI (configure)> http-server protocol { http-and—-https | http-only 
| https-only } 


Warning: to use HTTPS, a valid certificate must be associated to the OneOS-based router. Refer to 
chapter 2.27 Certificates management for more information. 


The HTTP server is disabled by default. To enable/disable the HTTP server, use the next command under 
configuration terminal: 


CLI (configure)> http-server { enabled [<path>] | disabled } 


The path is the path of the root directory of the web pages, where the files logon. htm and index.html 
are located. By default, the root path is flash: //webroot. 


Users accessing the web pages must be authenticated. The user login and passwords are checked from 
the local password file (flash: //password file). Configuration example: 


CLI> user add <webuser> <webpassword> <weblevel> 
By default users configured in the flash: //password file can login on the Web Configurator. Those 


users could also access the CLI. It may be desired to strictly separate CLI and web users. To operate the 
web server in this mode (with web only users), first the http-server must be started with an extra option: 
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CLI (configure)> http-server enabled <path> allow-web-users-—only 


Then a web-only user can be created via the next command: 


CLI (configure)> http-server user add <username> <password> <access—level> 
[invite-password-change] [already-encrypted] 


The username and the password are 64-character strings that contain any character except ":", "!", "2", 
ue "Qn me eerie wae TT sae "", "space", "apostrophe", "quotation mark" and "tab". 


The access-level is a number ranging from 0 to 15 (O=user, 7=manager, 15=admin). The access-level has 
the following functions: a page can be seen by a logged user if the page has got the default access 
authorization level or it is lower than or equal to logged-in user level (See 2.26.3). It is also used to check 
the executed CLI commands through web interface. 


The keyword invite-password-change sets a flag that will be used by the Web Configurator to 
request a user to change his own password (so the web pages must support this facility, which is fully 
optional on the web pages). The already-encrypted keyword tells that the password is already 
encrypted via MD5. 


If the command http-server user add ...is executed for a username that already exists, the following 
warning is displayed “User already exists; Taking new attributes into account”. In this case, the user is 
internally deleted, then re-created with the new user parameters. 


Note: it is possible to create web users from IBC. If the user was already created from IBC, http-server 
user add <username> ... will NOT overwrite the user parameters. 


To delete a web-only user: 


CLI (configure)> http-server user delete <username> 


By default, the http server is reachable by any IP interface (atm, loopback, fastEthernet ... IP 
addresses). To attach the http server to one or more interface, use the following command: 





CLI (configure)> [no] http-server bind <interface> <unit> 


To unbind the http server from an interface, use the no form of the command: 


CLI (configure)> no http-server bind <interface> <unit> 


To unbind the http server from any particular interface (i.e. attach to all the interfaces, default setting): 





CLI (configure)> http-server bind any 


By default, the http server is associated to the default VRF. To associate the http server to a non-default 
VRF, use the following command: 


CLI (configure)> http-server vrf <vrf-name> 


To remove the http server from a non-default VRF, use the no form of the command: 


CLI (configure)> no http-server vrf [<vrf-name>] 


As security measure, it is also recommended to attach an access-list to the server. It prevents access to 
the HTTP server from untrusted IP networks. To restrict access to HTTP server for HTTP clients matching 
an access-list: 


CLI (configure)> http-server acl <acl-name> 


To detach the access-list: 


CLI (configure)> no http-server acl 


The web configurator generates CLI commands from HTML forms and sends the CLI to the product. By 
default, any command that is syntax-wise correct is accepted. However, OneOS can check that either the 
entered CLI privilege level is not greater than a required level or the CLI level is lower than or equal to 
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logged-user level (http-user). Syntax: 


CLI (configure)> http-server wcf cli-exec-level { <10-15> | http-user } 


The outcome of applying changes on every HTML page is to create a set of CLI commands that is 
executed immediately by the system when the HTML form is posted. If the changes must be saved, the 
CLI commands must contain the command save running-configoOrwrite mem. 


Autoconfiguration could be used. This feature updates the router configuration and software. In other 
words, the downloaded configuration by autoconfiguration eliminates changes made by the HTTP server 
by overwriting the saved configuration. However, it is still possible to overcome this incompatibility. The 
process runs as follows: first, CLI commands executed by the HTTP server are saved in flash (in path). 
Then, autoconfiguration downloads a new configuration and reboots the router. If OneOS reads the 
command http-server wcf exec-web-cli, all the CLI files in path are executed again, so that 
settings from HTTP server are again active. To enable/disable this behavior (disabled as default): 


CLI (configure)> [no] http-server wcf exec-web-cli [<path>] 


To get the actual configuration, WCF emulates a"show running-config" command. Some applications 
with a lot of HTML pages and specifically designed for this purpose can save time asking WCF to read an 
existing file (generated by the HTML pages) rather than using the "show running-config" Command. 
Use the following command to have this behavior: 


CLI (configure)> http-server wcf parse { running-config | saved-config } 


Note: the above function is not available in the standard WCF/OneOS software. 


Users are automatically logged out after expiration of an inactivity timeout. By default, it is 1200 seconds. 
To set timeout: 


CLI (configure)> http-server timeout { default | <10-100000> } 


Note: unauthorized connection attempts are subject to blacklisting (see 2.28). 


2.26.3 HTTP Proxy 


When a LAN device is associated to a gateway, the HTTP proxy is implicitly enabled on the gateway. 
During association, the gateway learns the LAN device name. The "short device name" is the device name 
where "_" and subsequent parameters are stripped. All HTTP requests whose URL contains a pattern 
matching the short device name is forwarded to the LAN device. For more information, refer to "DHCP 
Device Association" section in "Dynamic Host Configuration Protocol" chapter of "OneOS — Basic IP User 


Guide" document. 


The http server must be enabled on the LAN device in a special mode, because the HTTP protocol 
between LAN device and gateway is authenticated in a special mode. To enable the HTTP server in LAN 
device mode: 


CLI (configure)> http-server enabled device-—mode 


2.26.4 Web Page Access Restriction 
2.26.4.1 Restriction File Format 


Every logged user on the web server is associated with a user level. By default, all pages are accessible. It 
is possible though to display only pages for users whose level is greater than or equal to the page level. 


Aim of this security issue for WCF is to control the access level of WEB pages using one configuration file 
placed in each folder. This can be easily done using some .ini files. These .ini files must be named 
".wcefaccess.ini". Access level is read & set at HTTP Server startup or when the following command is 
triggered: 
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CLI (configure)> http-server wcf access-level reload 


In order to implement the Access Level issue for WCF, the following format rules is used for the . ini files: 
a section for each file must be created and inside it place a keyword called Access-level, as follows: 


[<resource-name>] 
Access-level = <Access—Level-Value> 


Example: 


[index.htm1] 
Access-level = 2 


[WEPKeyConfig.htm1] 
Access-level = 2 


[WlanConfig.html] 
Access-level = 9 


By default, when the HTTP Server is enabled, the logon.htm page always has access level set to 0 
(even ifa".wcfaccess.ini" file modifies this level). One must take care that the user does not change 
the access level of the Logon.htm page. The rest of the files have their access level set to 1. When the 
engine is triggered, if a file has a custom access level specified in a".wcfaccess.ini" file, its access 
level is changed to the specified one. 

Since the use of ". wcfaccess.ini" files is not mandatory, the user can set the default access level that 
will be assigned to the all files managed by the HTTP server. The following CLI allows doing this: 


CLI (configure)> http-server wcf access-level default <default-—level> 


Example: 





CLI (configure)> http-server wcf access-level default 15 


Note: if no default access level is set, the default level will be 1 (like in previous versions). 


2.26.4.2 Assign access level to a new page 


The following CLI is available to assign a custom access level to a WEB page: 


CLI (configure)> http-server wcf access-level assign 
<absolute-resource-path> <access-level> 


Note: custom access level can be assigned to any WEB Resource (html, css, js, jpg). 


Note: when assigning/removing the access level for a resource, all actions are written in the .ini file. In 
order to effectively set the new access level to WEB Resources, use reload command or re-enable the 


HTTP Server. 
2.26.4.3_ Delete access level entry for a page 


The following CLI is available in order to remove from ".wcfaccess. ini" file the entry for a specific WEB 
resource: 


CLI (configure)> http-server wcf access-level delete 
<absolute-resource-path> 


Note: this command can be triggered at any moment (even if the HTTP Server is up or not). 


2.26.4.4 Display access level settings 


Following show commands are available: 


CLI> show http-server wcf access-—level stored-access-—level 
[<location-path>] 


CLI> show http-server wcf access-level default—access-—level 
CLI> show http-server wcf access-level current-—access-—level 


Note: index.html page is registered twice: as URL “\” and as URL “\index.htm1”. On command 
“show http-server wcf access-level current-access-—level” it should appear twice, once for 
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each URL. On command “show http-server wcf access-level stored-access-—level” is 
should appear once since we have one single file on flash. 


CLI> show http-server wcf access-level <location-path> 
In order to display all access levels assigned (in specific .ini file) to all resources from a specific WEB 
project, following CLI is available: 


CLI> show http-server wcf access-level stored-access—level 
[<location-path>] 
Following format must be used to display information (like "1s" in Linux): 


<absolute-resource-path> <access-—level> 
Path displayed is relative to <location-path>. All pages in the WEB project must be displayed, even if 
they have no custom access level defined in the “.wcfaccess.ini”! 


For resources defined in the .ini file, developer must display the access level specified in the 
.wcfaccess.ini file. For resources that are not defined in the .ini file, developer must display the 
default access level. 


Parameter <location-path> is optional and can be a folder on the flash or a single file (WEB 
Resource). If not provided, it will be the starting location of the HTTP Sever (if up; if HTTP Server is down, 
an error message must be displayed). Full path must be provided to the desired folder/resource. 


This following command displays the default access level. 
CLI> show http-server wcf access-level default-—access-—level 
This show command displays the current access-level status for all WEB Resources. In this case, the 


access-level value is retrieved from HTTP Server's structures, not from the . ini files (meaning we display 
the access-level which is effectively set on a resource). 


This command can be triggered only when HTTP Server is up and displays access-level for all WEB 
resources as they are retrieved from HTTP Server's resources list. 


2.26.5 Download/Upload File Restriction 


As of V4.2R2E2 software release, downloading and uploading of files using WCF can be denied. 


To globally deny downloading of files using WCF, use the following command: 


CLI (configure)> http-server wcf download deny 


To globally deny uploading of files using WCF, use the following command: 





CLI (configure)> http-server wcf upload deny 


To allow downloading of only certain files using WCF, use the following commands: 


CLI (configure)> http-server wcf download permit 

CLI (configure)> http-server wcf download path <path-1> [max-size <size>] 
[user-level <lvl>] 
CLI (configure)> .. 

CLI (configure)> http-server wcf download path <path-n> [max-size <size>] 
[user-level <lvl>] 





CLI (configure> exit 


path-i can be either a file path or a folder path. 
max-size is the maximum size in KB that can be downloaded (0-4294967275; default 4294967275). 


user-level is the minimum user level requested to allow downloading (0-15; default 15). 


To allow uploading of only certain files using WCF, use the following commands: 
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CLI (configure)> http-server wcf upload permit 

CLI (configure)> http-server wcf upload path <path-1> [max-size <size>] 
[user-level <lvl>] 

CLI (configure)> .. 

CLI (configure)> http-server wcf upload path <path-n> [max-size <size>] 
[user-level <lvl>] 

CLI (configure> exit 


2.26.6 Debugging HTTP Server 


To activate WCF traces: 

CLI> debug wcf 
WCF Simulation mode is intended to be used when testing WEB Pages. It can do the value matching 
between HTML fields and a custom file ("flash://webroot/simconf.cfg"), instead of extracting html 


field values from "show running-config". Also, it never executes the CLI generated - it will only display 
the list of commands contained in the WEB page. 


CLI (configure)> [no] http-server wcf simulation-mode 
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2.27 CERTIFICATES MANAGEMENT 


Note: the certificates management depicted below is not meant to deploy certificates on a large scale. 


The OneOS-based router is able to manage up to five certificates: 


The HTTPS server certificate (always present). 

The TR-69 device certificate (always present only in some versions). 
The TR-69 root certificate (always present only in some versions). 
The IPsec/IKE (ISAKMP) root certificate (not always present). 

The IPsec/IKE (ISAKMP) client certificate (not always present). 


Note: a default HTTPS server certificate is always present to assure the functioning of HTTPS .This 
default HTTPS will however generate an HTTPS warning. It can be replaced by a customized one 
(see below). 


2.27.1 


Showing the content of the certificates 


To show the content of all available certificates on the device, use the following command in global mode. 


CLI> show certificates 


Example with only the default HTTPS server certificate available: 


CLI> show certificates 
default HTTPS server certificate: 
Certificate: 
Data: 
Version: 3 (0x2) 
Serial Number: 302127474 (0x12021972) 
Signature Algorithm: shalWithRSAEncryption 
Issuer: CN=OneOS_Device, OU=OneAccess, C=FR 
Validity 
Not Before: Aug 29 09:27:31 2008 GMT 
Not After : Mar 1 09:27:31 2037 GMT 
Subject: CN=OneOS_Device, OU=OneAccess, C=FR 
Subject Public Key Info: 
Public Key Algorithm: rsaEncryption 
RSA Public Key: (1024 bit) 
Modulus (1024 bit): 


88:b7:91:d6:84:70:£9:2f:£9:8b:c9:b6:17:24:20: 
ad: fe:39:fe:56:cf:62:d8:2f:74:01:6b:al:57:53: 
be: fe:ld:dc:4c:63:3c:77:c0:e0:34:cc:27:6f:89: 
a8:60:4b:24:3f:ec:e7:13:84:3£:30:0e:da:02:57: 
73:39:b9:86:£7:45:a5:0e:dce:1c:81:42:03:06:19: 
b7:16:25:£2:3b:bd:4a:06:72:ef:74:7b:c2:2£:39: 
Oa:1b:8b:69:48:95:cd:b6:30:67:91:c3:58:cd:9c: 
c3:4e:28:22:fe:8c:1b:62:e7 
Exponent: 65537 (0x10001) 
X509v3 extensions: 
X509v3 Subject Key Identifier: 
E4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA: 61 
X509v3 Authority Key Identifier: 
keyid:E£4:39:DA:83:48:A2:02:83:96:21:29:BF:6D:03:B3:BB:A5:06:BA: 61 


X509v3 Key Usage: 
Digital Signature, Key Encipherment, Certificate Sign 
X509v3 Extended Key Usage: 
TLS Web Server Authentication 
Signature Algorithm: shalWithRSAEncryption 
18:6e:¢9:ac:18:95:43:7e:72:55:32:70:5e:86:c8:59:60:3d: 
9a:bd:e2:11:2d:17:09:98:ae:c8:49:a7:04:b0:29:20:1b:95: 
96:69:26:0b:46:ea:ce:04:ec:de:a6:2d:cbh:23:e8:9d:fa:cc: 
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69:3d:77:cl:ca:£7:30:17:dd:86:e9: fa: 8b:7£:09:32:06:4e: 
a7:05:d9:54:77:14:e3:33:88:96:62:13:8d:35:77:23:1b:75: 
05:95:ea:e6:73:6b:da:c2:b7:6e:8e:70:32:47:7c:c8:97:4e: 
89:7b:1e:29:06:f£4:a7:6a:5d:85:9a:76:a4:4e:d2:49:59:e7: 
88:e2 


To display the content of all available certificates, use the following command lines. The detail optional 
parameter adds the subject public key and the signature information to the output. 


To display the list of the IPSEC CA certificates, use the following command line: 


CLI> show crypto pki ca [detail] 


To display the list of the IPSEC certificates, use the following command line: 

CLI> show crypto pki certificates [detail] 
To display the list of all available device certificates in the Secure Information Area (SIA) and the TR69 
root certificate, use the following command line: 


CLI> show crypto pki device-certificates [detail] 


To display the list of all available HTTPS server certificates, use the following command line: 


CLI> show crypto pki https [detail] 


2.27.2 Configuring the certificates to be generated 
To configure the HTTPS server certificate or the IPsec Certificate Signing Request (CSR) that will be 
generated (see below), first enter in certificate control mode; then use the configure command. 


CLI> certificate 
CLI (certificate) > configure 
CLI (cert-conf) > 


In this mode, a number of attributes can be changed before an HTTPS server certificate or an IPSec CSR 
is generated. 


The attributes that can be changed are described in the following paragraphs. 
2.27.2.1_ Subject Distinguished Name attribute 


The Subject Distinguished Name (DN) attribute is a set of fields describing where the subject is 
geographically and its role within an organization. 
To set the Subject DN Country field, use the following command line: 


CLI (cert-conf)> [no] subject C <name> 


To set the Subject DN State field, use the following command line: 


CLI (cert-conf)> [no] subject ST <name> 


To set the Subject DN Locality field, use the following command line: 


CLI (cert-conf)> [no] subject L <name> 


To set the Subject DN Organization field, use the following command line: 


CLI (cert-conf)> [no] subject O <name> 


To set the Subject DN Organization Unit field, use the following command line: 


CLI (cert-conf)> [no] subject OU <name> 


To set the Subject DN Common Name field, use the following command line: 





CLI (cert-conf)> [no] subject CN <name> 
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To set the Subject DN email address field, use the following command line: 


CLI (cert-conf)> [no] subject email-address <name> 


Note: for a self signed certificate, these fields will also be put in the Issuer DN field. 
2.27.2.2 Subject Alternative Name attribute 


The Subject Alternative Name extension allows various literal values to be included in the configuration 
file. These include host name, IP address and other Name (user). 


It is allowed to combine the 3 types of Subject Alternative Name. 
To set the content of the Subject Alternative Name host name field, use the following command line: 


CLI (cert-conf)> [no] alt-subject-name hostname <name> 


To set the content of the Subject Alternative Name IP address field, use the following command line: 


CLI (cert-conf)> [no] alt-subject-name ip-address <ip-address> 


To set the content of the Subject Alternative Name user field, use the following command line; (note that 
some browsers require that this field matches the host part of the URL of the HTTPS connection). 


CLI (cert-conf)> [no] alt-subject-name user <name> 


2.27.2.3_ Key length and cipher type attribute 


To set the key length and cipher type, use the following command line: 
CLI (cert-conf)> [no] key { rsa-1024 | rsa-512 } 


2.27.2.4 Key usage attribute 





To set the extendedKeyUsage field to TLS server authentication, use the following command 
line; (note that some browsers require this to be set to use the certificate for HTTPS). 


CLI (cert-conf)> [no] key-usage server-authentication 
2.27.2.5 Certificate enrollment 


Certificates can be obtained either using SCEP (Simple Certificate Enrollment Protocol) or using TFTP. 


To specify the URL where to obtain the signed certificate via SCEP, use the following command: 


CLI (cert-conf)> [no] enrollment url http://ip_address/scep_path 


ip_address is the IP address of the SCEP server. 
scep_path is the SCEP server specific path, depending on the SCEP implementation that is used. 
Example: 


enrollment url http://10.0.28.1:80/cgi-bin/openscep 
enrollment url http://10.0.28.1:80/certsrv/mscep/mscep.d1l 


To specify the URL of the TFTP server where the request should be sent and where to obtain the signed 
certificate, use the following command: 


CLI (cert-conf)> [no] enrollment url tftp://ip_address/filename 


ip_address is the IP address of the TFTP server. 
filename is the {base-name} (without extension) of the certificate or certificate request. 


The extensions ". key", ".ca", ". req", ".cer", ".p12" or ".pem" are automatically added to the {base- 
name}, depending on the action taken in the import or enroll command. 


Note: Restrictions apply to the name of ISAKMP certificates. See below. 
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ISAKMP certificates conventions 


The ISAKMP CA certificates must be located in the /security/ca directory. The certificates in this 
directory are used for the actual X.509 authentication. 


The ISAKMP trusted certificates must be located in the /security/certs directory. These certificates 
are required to have a subjectAltName extension containing the certificate holder identity; usually ip- 
address, hostname (FQDN), or user-fqdn. 


The ISAKMP certificates are loaded at boot-time or after entering the command: 


CLI (configure)> crypto pki reload 


The ISAKMP private keys must be located in the /security/private directory. This directory contains 
the private keys matching the public key of our certificate (which should be in the /security/certs 
directory, and have an appropriate subjectAltName field). The name of the file must be of the format: 
ip-address, hostname Or user-fqdn. 


The name of the key file must consist out of the value of the self-identity (also called local identity) type 
configured. 


Examples: 


e for self-identity type ip-address the filename could be 172.31.10.1 (the IP address of the egress 
interface) 


e for self-identity type hostname the filename could be router1l.mydomain.com (the hostname of 
the local router) 


e for self-identity type user-fqdn the filename could be user@mydomain.com or user (the email 
address or name of a local user) 


Note: if no local key file is found that matches the above described types, the file Local.key is used as 
the local key for the ISAKMP rsa-sig authentication. A certificate with a matching public key must exist 
inthe /security/certs directory. 


A certificate can only be validated if the time and date is set correctly on the router (see time, date and 
sntp commands). If the time and date is not correct, the message certificate is not yet valid 
will be displayed when the router tries to validate an ISAKMP certificate. 


2.27.2.6 Miscellaneous commands 


To remove a parameter from the certificate configuration, use the no form of the command line. 


To return to the default setting for all fields, use the following command line. It can be preferable to use this 
command first, prior configuring the fields, to ensure that the device starts with the known default 
configuration. 


CLI (cert-conf)> default 


To exit the certificate configuration mode: 


CLI (cert-conf)> exit 
CLI (certificate)> exit 
CLI> 





2.27.3 Creating the certificates 


2.27.3.1 Self-signed HTTPS server certificate 


Admin User Guide Page 2.27-94 of 130 


ONEOS V4.3R4 /V5.1R3 ADMIN USER GUIDE (EDITION 10) 


To generate a self-signed HTTPS server certificate, use the following command in certificate control mode. 
The certificate will be placed in the /security/https_one.pen file. 


CLI (certificate) > enroll self-signed 
If a certificate already exists, it will be replaced. If no configuration has been done, a certificate with 


CN=device serial number will be generated. The certificate serial number is also based on the device serial 
number, but with a trailer to guarantee uniqueness if this action is performed multiple times. 





Note: the "generate self-signed" command is deprecated and replaced by the “enroll self- 
signed" command. 


2.27.3.2 Certificate signing request 


To generate a certificate signing request (CSR) and send the request to the URL configured in the 
enrollment command, use the following command in certificate control mode. If TFTP is chosen to enroll, a 
file with the name {base-name} . req will be transferred to the CA (Certificate Authority). 


CLI (certificate) > enroll signing-request 
2.27.3.3 Certificate import 


To import a CA certificate and place it in the /security directory with name {base-name}.ca (with 
{base-name} being the actual file name of the certificate), use the following command: 


CLI (certificate)> import ca [purpose isakmp] 


The keyword purpose isakmp should be added to the command line if the CA certificate is used for 
ISAKMP crypto. In this way the CA certificate will be placed in the /security/ca directory. 


To import a signed certificate and place it in the /security directory with name {base-name}.cer, use 
the following command: 


CLI (certificate)> import certificate [purpose isakmp] 


The keyword purpose isakmp should be added to the command line if the certificate is used for 
ISAKMP crypto. In this way the certificate will be placed in the /security/cert directory. 


To import a signed certificate in the privacy enhanced mail (PEM) format and place it in the /security 
directory with name {base-name} .pem, use the following command: 


CLI (certificate)> import pem [purpose https] 


The keyword purpose https should be added to the command line if the .pem file contains an HTTPS 
server certificate. In this case the .pem file should also contain the appropriate private key. 


To import a Public Key Cryptography Standards 12 (pkcs12) package and place it in the /security 
directory with certificate name {base-name}.cer and private key name {base-name}.key, use the 
following command: 


CLI (certificate) > import pkcs12 <key> [purpose isakmp] 
The key used for decrypting the package should be provided to you by the certificate authority. If the 
certificate is used for ISAKMP crypto, then the keyword purpose isakmp should be added to the 


command line. In this way the certificate will be placed in the /security/cert directory and the private 
key will be placed in the /security/private directory. 


2.27.4 Certificate matching against criteria 


2.27.4.1 Configuring the criteria to which a certificate must comply 
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A crypto certificate map defines the criteria to which an X509 certificate must comply. To configure a PKI 
certificate map entry, and enter in certificate map configuration sub-level, use the following command line: 


CLI (configure)> crypto pki certificate map <name> <priority> 
CLI (cert-map) > 
name is the name of the certificate map; priority is the priority of the certificate map (0-10000). 


When creating a new certificate map a priority is required. This priority will be taken into account when 
matching a certificate to a certificate map; maps with the same name but different priorities will all be 
checked starting with the map with the highest priority (lowest number). 


To remove a certificate map, use the following command line: 
CLI (configure)> no crypto pki certificate map <name> [<priority>] 


The version of the command without the priority will delete all maps with the given name. When a priority is 
supplied, only the map with the given priority will be deleted. 


All criteria can be supplied in 4 different formats: contains (co), not contains (nc), equals (eq) and not 
equals (ne). This means a certificate property must contain a certain string, not contain a string, be exactly 
the same or different from a given string value, respectively. Several criteria can be applied to the same 
property (e.g. co a /nc b /nc c/co d/ ne da). 


The certificate (map) is valid when all criteria match. 


To configure one criterion for the subject name certificate property, use the following command: 


CLI (cert-map)> [no] subject-name { co | ne | eq | ne } <string> 


To configure one certificate alternate subject name criterion, use the following command: 


CLI (cert-map)> [no] alt-subject-name { co | ne | eq | ne } <string> 


To configure one certificate issuer name criterion, use the following command: 





CLI (cert-map)> [no] issuer-name { co | nce | eq | ne } <string> 


To remove a specific criterion for a specific certificate property, use the no form of the command. 


To empty the list of criteria of a specific certificate property, use the default command: 


CLI (cert-map)> default subject—-name 
CLI (cert-map)> default alt-subject-—name 
CLI (cert-map)> default issuer-—name 


To finalize the certificate map configuration: 


CLI (cert-map)> exit 


2.27.4.2 Matching the criteria 


When certificates are used for authentication, a dedicated command allows verifying the contents of the 
arbitrary fields of the peers’ certificate. This is accomplished by applying a certificate map to an ISAKMP 
profile using the match certificate command (refer to "ISAKMP Profile" section in "IP Security" 
chapter of "OneOS — Advanced IP User Guide" document). 


Note that if both a certificate map and a trust-point (see below) are configured for an ISAKMP profile then 
first the trust point revocation check will be performed. If the certificate has been revoked, no certificate 
map rules will be verified. 
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2.27.5 Certificate revocation checking 
2.27.5.1 Configuring a trust-point to check the revocation of the certificate 


A trust-point encapsulates the certificate revocation check rules used to verify the validity of the certificate 
used to set up a secure connection. To configure a PKI trust-point, and enter in trust-point configuration 
sub-level, use the following command line: 


CLI (configure)> crypto pki trustpoint <name> 
CLI (trustpoint)> 


name is the name of the trust-point. 


To remove a trust-point, use the following command line: 


CLI (configure)> no crypto pki trustpoint <name> 


The possible revocation check options are CRL (Certificate Revocation List), OCSP (Online Certificate 
Status Protocol) and none (which is the default), in order of priority, with each option being optional. If the 
CRL check fails, no OCSP check will be performed, even if the OCSP option has been configured. 


CRL checks are performed first, because they are faster in that they don’t require any network transaction. 
Any certificate listed in the CRL has been revoked and can never be valid again. Since the CRL is a local 
file that has to be retrieved from the CA at regular time intervals (a CRL has its own validity timestamps), 
this information can be out of date thus it’s possible the certificate is marked as valid while the CA has 
already revoked it. But once a certificate that has been revoked, it will never be marked valid again. The 
certificate revocation list should be stored in the /security/cri1s directory and be called ipsec.crl. If 
no CRL file is present on the file system the revocation check will fail, unless the option none is provided 
(an IPsec INFO message will be logged — regardless of debug output settings — reporting the accepted 
error condition). 


In order to have the most recent certificate status, OCSP checks can be used. The drawback of this option 
is this requires more time compared to the CRL check because of the network traffic involved. In the trust- 
point the OCSP URL has to be provided before the first use (in the format http: //server:port). If the 
OCSP server fails to respond (timeout), an error occurs in the response (invalid response), no connection 
to the OCSP server could be established (server down or wrong OCSP server configured) or a certificate 
not issued by this particular CA is verified (certificate status unknown), the check will fail, unless the none 
option was provided (as with the CRL check, an IPsec INFO message will be logged reporting the 
accepted error condition). OCSP uses a caching mechanism to cache OCSP responses and the content of 
this cache will be refreshed automatically on a daily basis. This has been done to improve ISAKMP setup 
latency. 


Simply setting the revocation check to none (thus not in conjunction with the CRL or OCSP options) or 
leaving it to default will not perform any verification on the validity of the certificate. 


To configure the revocation check options, use the following command: 


CLI (trustpoint)> [no] revocation-check [crl] [ocsp] [none] 


Use the no form of the above command or the following one to return to the default option (none): 





CLI (trustpoint)> default revocation-check 


To configure the OCSP URL (in the format http: //server: port), use the following command: 


CLI (trustpoint)> [no] ocsp <url> 


Use the no form of the above command or the following one to return to the OCSP default option (empty 
URL string): 


CLI (trustpoint)> default ocsp 
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Deleting a trust-point, deleting the revocation check criteria or clearing the OCSP URL will delete all 
cached information for that trust-point. Changing the revocation criteria or setting them to default will 
trigger an update of the revocation check information for the certificate. Setting the OCSP URL will 
retrigger lookups for the trust-point. 


Note: setting the same revocation check can be done to trigger an update, without actually changing the 
criteria and without having to wait for the auto update timeout. 


To finalize the revocation check options configuration: 


CLI (trustpoint)> exit 


2.27.5.2_ Checking the revocation 


When certificates are used for authentication, a dedicated command allows checking the revocation of the 
certificate prior to the certificate matching. This is accomplished by activating a trust-point in an ISAKMP 
profile using the trustpoint command (refer to "ISAKMP Profile" section in "IP Security" chapter of 
"OneOS — Advanced IP User Guide" document). 
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2.28 BLACKLIST MANAGEMENT 


In order to protect the OneOS-based router as much as possible against brute force attacks, a blacklisting 
process is implemented for console, tshell, telnet, SSH, and web connections (login). 


For console and tshell connections: a counter is created for each service. If the entered password is 
correct, the counter is reset to zero. If the password is incorrect, the message "Unauthorized access! 
Check username and password" is displayed and the counter is incremented. When the counter becomes 
greater than or equals 3, the message "Your access to the ... is blocked for the moment’ and the answer 
to password submission is delayed by 60 seconds. 


For telnet, SSH, and web connections: at each failed connection attempt, the source IP address of the 
request is recorded in a table. After 3 successive failed connection attempts from a given IP address, the 
blacklisted flag is set and a timer of 60 seconds is started. Any following connection attempt from a black 
listed IP is immediately rejected for the three services (without even offering authentication). After timer 
expiry, the IP address is flushed from the table. Any successful connection attempt flushes the IP from the 
table. A black list table is created for each service (telnet, SSH, web). Each table has the size that 
corresponds to the maximum number of sessions for the corresponding service. If the table is full, any 
extra connection is rejected immediately without even offering authentication. 


Note: the behavior described above means that when one service is blacklisted, only the show blacklist of 


this service lists the blacklisted IP address. But, the three services (telnet, SSH, web) are blacklisted. 


The services that have been blacklisted are stored in two circular log files called blacklisti.log & 
blacklist2.log; each file is limited to 70 lines. 


To display the services that have been blacklisted, use the following command in global mode: 
CLI> show blacklist log 


Date | Service | IP Address 
2009.03.17 09:41:03 Telnet 192.168.1.2 
2009.03.17 09:42:37 Tshell 192.168.1.9 


Tshell 


| | 

2009.03.17 09:52:52 | Tshell | 192.168.1.7 
| | 
| Telnet | 


To display, for a particular service, the currently blocked connections, use the following command: 
CLI> show blacklist { console | tshell | telnet, | ssh | http-server } 


IP Address Attempt Count 
192.768.1057 2 
192%.:1'68'.1):9 3 (blocked) 
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3 AUTO-UPDATE 

3.1 INTRODUCTION TO AUTO-UPDATE 
This section describes the auto-update features of OneOS. 
Auto-update enables to automatically acquire configuration parameters and update software/web 
Configurator or any file stored in OneOS-based router flash file system. 
The objective of such function is primarily to optimize deployment and maintenance costs of a large 
installed base of routers. This function is the cornerstone to realize zero-touch service activation. 
Note that this function is an alternative to another OneOS feature called "autoconfiguration" (see section 
5). Autoconfiguration uses DHCP, TFTP and FTP protocols whereas auto-update uses HTTP. 
Autoconfiguration and auto-update are mutually exclusive. The advantages of auto-update are: easier to 
implement (no firewall issues caused by DHCP) and more open for web Configurator upgrade. 

3.1.1 Auto-update Sequencer 


The auto-update sequencer is a state machine managing the execution of auto-update jobs. Auto-update 
jobs can be: 


e = Single file update 

e Update of a set of files via TAR archive download and extraction 

e Software update 

e Configuration update 

The sequencer starts the auto-update operation further to auto-update triggers, namely: 
e The user entered an auto-update command requesting the start of auto-update 

e A monitored interface went up 

e The auto-update periodic timer elapsed 


Further to a trigger, the auto-update sequence is started. It means that the sequencer initiates each update 
job sequentially (they are ordered with a sequence ID). When done, the sequencer examines the returned 
job execution status (can be “update successful’, “no error, no update”, and “failure”). For every job, the 
sequencer is informed (per configuration) of the next step to execute depending on the returned status 
(can be “stop auto-update sequence”, “continue”, “reboot”). When every job is executed, the sequencer 
looks if there was at least one update. If one update happened, a configuration parameter indicates if the 


router shall reboot or not. 


The auto-update sequencer state machine is represented hereafter: 
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3.1.2 Software Update 


Before downloading the OneOS software, the router queries the software version that should be used, by 
sending an HTTP GET to index-url URL. This current OneOS version is compared with running version 
indicated by the ‘show version’ command. If it is different from OneOS version returned by index-url, 
the OneOS file is downloaded. After download, software integrity is checked. If the check is passed, the 
new OneOS replaces the current OneOS in flash. 


3.1.3 Configuration Update 


Before downloading the configuration, the router may query the configuration index (a kind of version for 
the configuration, optional in the configuration), by sending an HTTP GET to index-url URL. If the 
router does not query the configuration index, the configuration file is downloaded directly and compared 
with the configuration download during the last auto-update sequence. If they are different, OneOS 
continues configuration update. 


This current configuration index is saved in router flash. If it is different from configuration version in server, 
the configuration file is downloaded. 


After configuration download, two behaviors are possible: 


e Execute the configuration. If no error in execution is detected, the upgrade is considered successful. If 
successful, the running version is saved. If not successful, the router saves the configuration index in 
flash and reboots. 


e The configuration index is saved in flash. The router replaces the current configuration with the new 
one and reboots. 
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3.1.4 TAR File Update 
Before downloading the TAR, the router queries a TAR index (a kind of TAR file version), by sending an 
HTTP GET to index-url URL. The current index is saved in router flash. If it is different from TAR index 
returned by index-url, the TAR file is downloaded and extracted. The TAR file update is needed when 
many files needs to be updated. 
3.1.5 Contents on HTTP Server 
e Configuration index: integer positive number (1-65535). 
e Configuration: content of a text configuration file (carriage return is \n or \r\n). 
e OneOS: content of the *.zzz binary file (example: ONEOS4-VOIP_SIP-V3.7R11E15.ZZZ). 
e OneOS index: exact version name, as displayed by show version. Example: ONEOS4-VOIP_SIP- 
V3.7R11E15 (1-32 characters). 
e TAR index: integer positive number (1-65535). 
e TAR file: valid TAR file. 
3.2 AUTO-UPDATE CONFIGURATION 


To start configuring auto-update, enter in global configuration mode and enter the following command: 
CLI> configure terminal 
CLI (configure)> [no] auto-update 
CLI (auto-update) > 
Auto-update can use a VRF different from the default VRF: 
CLI (auto-update)> [no] vrf <vrf-name> 


Then, the auto-update sequence trigger must be defined. It can be a periodic timer or the "UP" event of a 
monitored interface. Triggers are not exclusive with each other. 





CLI (auto-update) > trigger daily-restart-timer <StartHour> <EndHour> 
[<days>] 
CLI (auto-update) > trigger monitored-interface <type> <unit> 
[delayed-start <seconds>] 


The daily restart timer schedules a trigger days in days within a random hour between StartHour and 
EndHour. For example, trigger daily-restart-timer 01:00:00 02:30:00 2 schedules a 
trigger between 1:00 and 2:30 every two days. 





One monitored interface can be configured with configurable timer (by default: no delayed-start 
timer). Example: trigger monitored-interface atm 0.1. 


To remove the triggers: 
CLI (auto-update) > no trigger daily-restart-—timer 


CLI (auto-update) > no trigger monitored-interface <type> <unit> 


If a trigger happens too quickly, auto-update ignores it. In other words, as long as a min-interval timer has 
not expired, the trigger events do not start the update sequence. By default, the timer is 30 minutes long 
and can be set as follows: 


CLI (auto-update) > min-interval <minutes> 
After completing the update sequence, you may force auto-update to reboot the router or not in the event 


one successful update occurred. If at least one update happened at the end of the sequence, the router 
reboots by default. By choosing stop, the router will not reboot and just wait for next trigger. 
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CLI (auto-update) > on any-update { reboot | stop } 


Auto-update packets take as source address the IP address of outgoing interface, but it can be forced: 


CLI (auto-update) > source-interface <type> <unit> 
CLI (auto-update) > no source-interface 


The HTTP server may return different data (e.g. a different configuration file), when querying the same 
URL from different routers. In order to discriminate the GET requests from the different routers, every 
router can insert extra GET parameters. For example, it can query the following URL: 
http://server/version.php?ppplogin=value&mac=00:A0:FE:12:B8:59&firmware=xxxx&s 
erial=xxxxx&cpe_version=xxxxx&cpe_type=xxxxxéhardware=onel00&event=1&faultCode 
=0. In order to insert this parameter list (ppplogin=valueémac=00:A0:FE:12:B8:59...), the next 
command is needed: 








CLI (auto-update)> [no] http-get-extra-parameters 1 


The faultCode parameter in the above mentioned URL can have the following values: 
e 0: no error during the last auto-update, or just initial boot 

e 1: download of software index has failed 

e 2: download of software has failed 

e 3: the downloaded software did not pass the integrity check 

e 4:not enough space on the flash to terminate the software download 

e 10: download of configuration index has failed 

e 11: download of configuration has failed 


e 12: the downloaded configuration execution has failed 


3.2.1 Software Update 


To allow software update, enter the next command, where sequence-id is the step for the auto-update 
sequencer. The sequence number is intended to configure if software update must be done before or after 
configuration update. To enter the URL for software and software (index) version: 


CLI (auto-update) > software-update <sequence-id> 

CLI (sw-update)> index-url http://<path>/<software-version> [current-sw- 
version <suffix>] 

CLI (sw-update)> url http://<path>/<software-version> [current-sw-version 
<suffix>] 


If the current-sw-version parameter is present, the URL is a concatenated string from URL + running 
software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) + the suffix. 


Before replacing the running software image file by the new one, auto-update saves the new OneOS 
under a temporary file. If it is valid, the temporary file replaces the running OneOS; the running OneOS is 
then saved as a_ backup image in_ flash. The back filename is by — default: 
flash://BSA/binaries/OneOs.old. To use another name: 


CLI (sw-update) > backup-software <path/filename> 
If the software is successfully updated, by default, the auto-update sequence continues; but the behavior 
can be changed as follows: 

CLI (sw-update)> on update-success { continue | stop | reboot } 
If an error occurs during software update, by default, the auto-update sequence stops and wait for next 
trigger; but the behavior can be changed as follows: 


CLI (sw-update)> on update-failure { continue | stop | reboot } 


To complete the process: 


CLI (sw-update)> exit 
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To remove software update: 


CLI (auto-update) > no software-—update 


3.2.2 TAR File Update 


To allow TAR file update, enter the next command, where <sequence-id> is the step for the auto-update 
sequencer (it is recommended to choose as 1; the software should always be updated first). To enter the 
URL for software and software index version: 


CLI (auto-update) > tar-resource-update <sequence-id> 

CLI (tar-res-update)> index-url http://<path>/<tar-version> [current-sw- 
version <suffix>] 
CLI(tar-res-update)> url  http://<path>/<tar-file> [current-sw-version 
<suffix>] 





If the current-sw-version parameter is present, the URL is a concatenated string from URL, running 
software name (such as ONEOS4-VOIP_SIP-V3.7R11E15) and the suffix. 


You must specify a target directory. With the option clean-up, the files of this directory are erased. If the 
option clean-up all-sub-dir is used, the target directory is erased including all its sub-directories. 





CLI (tar-res-—update)> target <TargetDir> [clean-up [all-sub-dir]] 


The TAR resource update can be used for various purposes. It may require the restart of http server or IBC 
shutdown. You can specify with the next command, the actions to operate before/after downloading the 
TAR file: 


CLI (tar-res-—update) > pre-update-action { http-server-disable 

| ibc-shutdown} <order-id> 
CLI (tar-res-update) > post-update-action { http-server-enable 
ibc-noshutdown} <order-id> 





If the TAR is successfully updated, by default, the auto-update sequence continues; but the behavior can 
be changed as follows: 


CLI (tar-res-—update) > on update-success { continue | stop | reboot } 


If an error occurs during TAR update, by default, the auto-update sequence stops and wait for next trigger; 
but the behavior can be changed as follows: 


CLI (tar-res-update)> on update-failure { continue | stop | reboot } 


To complete the process: 


CLI (tar-res-update)> exit 


To remove TAR update: 





CLI (auto-update)> no tar-ressource-update <id> 


3.2.3 Configuration Update 


To allow configuration update, enter the next command. sequence-id is the step for the auto-update 
sequencer. To enter the URL for configuration and configuration index version: 


CLI (auto-update) > config-update <sequence-id> 

CLI (cfg-update)> index-url http://<path>/<config-version> [serial—-number 
<suffix>] 

CLI (cfg-update)> url http://<path>/<config-file> [serial-number <suffix>] 





If the serial-number parameter is present, the URL is a concatenated string from URL + serial number + 
the suffix. 


One can choose between these behaviors: 
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e The current configuration file is overwritten by the new one (if they are different), then the auto-update 
sequence continues (in this case the downloaded configuration replaces the current one) (default). 


e The new configuration is added to the current configuration (if the add-in is different from the previous 
one). The downloaded configuration add-in is first executed in a temporary file, and if it is successful, it 
is saved in another file then a "save running" is done. If not successful the behavior depends on the 
auto-update configuration. 


CLI (cfg-update) > download-behaviour { overwrite | add-in } 


If the configuration is successfully updated, by default, the auto-update sequence continues; but the 
behavior can be changed as follows: 


CLI (cfg-update) > on update-success { continue | stop | reboot } 


If an error occurs during configuration update, by default, the auto-update sequence stops and wait for 
next trigger; but the behavior can be changed as follows: 


CLI (cfg-update)> on update-failure { continue| stop | reboot } 


To complete the process: 


CLI (cfg-update)> exit 


To remove configuration update: 


CLI (auto-update) > no config-update 


AUX LED status: 
e Orange, blinking: auto-update in progress 
e Steady green: auto-update successfully completed 


e —_ Blinking red: auto-update failure(s) 
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3.3 AUTO-UPDATE EXAMPLE 


configure terminal 
auto-update 
trigger monitored-interface Atm 0.1 
trigger daily-restart-timer 01:00:00 02:00:00 1 
source-interface loopback 4 
http-get—-extra-parameters 1 
software-update 1 
index-url http://autoupdate.com/sw-index/ current-sw-version .idx 
url http://autoupdate.com/sw/ current-sw-version .222Z 
backup-software /BSA/binaries/myOneOs.old 
exit 
config-update 2 
index-url http://autoupdate.com/config-index/ serial-number’~ .idx 
url http://autoupdate.com/config/ serial-number’ .cfg 
download-behaviour overwrite 
exit 
tar-resource-update 4 
target /webroot/html clean-up all-sub-dir 
index-url http://autoupdate.com/tar-index/ current-sw-version .idx 
url http://autoupdate.com/tar/ current-sw-version .tar 
pre-update-action http-server-disable 1 
post-update-action http-server-enable 1 
exit 
exit 
exit 





3.4 AUTO-UPDATE DEBUG AND STATISTICS 


To start auto-update manually: 
CLI> auto-update start 


To stop auto-update manually (i.e. auto-update completes the current update job but does not carry out 
next step): 


CLI> auto-update stop 


To activate debug traces for auto-update: 


CLI> debug auto-update 


Some auto-update history information is kept in circular files: 


CLI> cat flash://auto-updatel.log 
CLI> cat flash: //auto-—update2.log 


To show auto-update statistics: 


CLI> show auto-update statistics 


To show auto-update configuration: 


CLI> show auto-update setup 
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4 CPE WAN MANAGEMENT PROTOCOL (CWMP - TR-69) 





4.1 CWMP FEATURE DESCRIPTION 


OneOS implements the CPE WAN Management Protocol (CWMP) specified by the specification TR-069 of 
the Broadband Forum (formerly DSL Forum). This feature is introduced as of V4.2 and allows updating 
OneOS routers firmware, configuration file and additional files. 


The CWMP is structured in different layers, from IP connectivity to RPC calls encoded in SOAP. It is 
required that the OneOS router is pre-configured in such a way that IP/DNS connectivity and ACS URL are 
known. (ACS URL or IP cannot be auto-configured as depicted in TR-44 or TR-46). 


4.1.1 CWMP Transport Layer 
CWMP requires http/https as transport layers for RPC; the following transport layer characteristics are 
implemented in OneOS: 
e The destination port is configurable (default: 7547). 


e If HTTP is used, authentication via pre-shared key is optional (cf. RFC 2617, MD5-hashed digest or 
BASIC authentication). 


e The ACS can be designated by an IP address or a hostname. 
e HTTPS is optional. HTTPS requires that the product is loaded with appropriately signed certificates. 


e The source IP address of CWMP packets sent by the router cannot be forced to use a specific IP 
address of a router interface. 


e If the server sets cookies, the cookie is persistent in further HTTP requests. 
4.1.2 INFORM RPC: Triggering Events and Content 


When the CPE boots or upon specific events, the CPE indicates to the ACS that it is willing to establish a 
TR-69 session by sending an INFORM RPC. 


The INFORM RPC contains an event to indicate the trigger type of the INFORM RPC. They are: 
e “0 BOOTSTRAP”: first product installation. 


e “{ BOOT”: theoretically speaking, it means the router has rebooted. In reality, this event is fired when 
a monitored interface is going up. Typically, the BOOT INFORM is sent when ATM 0.1 interface is 
going up. OneOS CWMP module keeps track of past operations using the file /BSA/persist/cwmp. ini. 
OneOS takes the decision by reading this file to use the BOOT or BOOTSTRAP event. At first 
installation, this file does not exist and BOOTSTRAP is the used event. A delay timer prevents to send 
INFORM requests too early at boot time so that SNTP server can be synchronized. 


e “2 PERIODIC”: the ACS can configure that the CPE sends periodically an INFORM RPC. Enabling 
this mode and periodicity is set by the ACS. The periodic INFORM parameters can be manipulated via 
the SetParameterValue and GetParameterValue RPC. 


e “4 VALUE CHANGED”: in case the ACS URL is updated in CPE configuration or if the IP address of 
the monitored interface has been renewed. 


“9 REQUEST DOWNLOAD”: a CLI command (or Web configurator of the CPE) may issue an 
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INFORM with that event code. The ACS will look up if there is a new OS / Web / config for the CPE. 

The following inform event codes are supported for informs triggered further to an ACS request: 
e “3 SCHEDULED”: caused by the SCHEDULED INFORM RPC 
e “6 CONNECTION REQUEST” 
The INFORM contains certain fields, for which a small explanation is given hereafter: 
e MaxEnvelopes=1 
e Sub-objects of Deviceld: 

o Manufacturer: OneAccess_Networks 

o OUT: the first three bytes of the product MAC address is taken. Today: 0012EF 


o ProductClass: if the product is loaded with a X.509 certificate, the ProductClass is 
derived from the common subject name of the certificate (cf. line CN: ...). If there is no 
certificate, ProductClass is taken from the product info area in read-only system area (see 
further ahead the CLI command product-class-specification) 


e Sub-objects of ParameterList: 


o InternetGatewayDevice.DeviceInfo.HardwareVersion: see show product-—info- 
area CLI, at line Manufacturing file reference 








o InternetGatewayDevice.deviceSummary 





o InternetGatewayDevice.DeviceInfo.SpecVersion (dumb value: empty) 





o InternetGatewayDevice.DeviceInfo.SoftwareVersion: same string as provided by 
show version command 


o InternetGatewayDevice.ManagementServer.ConnectionRequestURL 





° InternetGatewayDevice.ManagementServer.ParameterKey 





° InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnecti 
on.1.ExternalIPAddress or 
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnectio 
n.1.ExternalIPAddress: public IP address that is used as monitored interface. 




















o Any customized parameter: a CLI command makes it possible to create custom objects that 
are inserted in the INFORM data. 


4.1.3 Initiating TR-069 Sessions from ACS 
4.1.3.1. | Connection Requests 


ACS-initiated sessions are needed to perform immediately actions on the CPE (such as software update). 


The ACS must send an HTTP GET request to the embedded HTTP server of OneOS, dedicated to TR-69. 
(Note that there might two instances of HTTP servers running in OneOS — one for web-based 
configuration, one for TR-69 -). 


The TR-69 http server is bound to a configurable port and interface (and optionally an ACL). The GET 
request can be authenticated by means of a password. After authentication, OneOS sends an Inform with 
“6 CONNECTION REQUEST” as event code. 


4.1.3.2 | Scheduled Inform 


The ACS can ask the CPE to send an INFORM later at a specified time. In that case, the event code in the 
INFORM will be “8 SCHEDULED”. 


Use case: Scheduled informs are useful for an ACS to schedule firmware updates of many CPE while 
limiting the number of simultaneous firmware upgrades. 
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4.1.4 RPC invoked by ACS 


When invoking the INFORM RPC (sent because of reboot, interface going up, connection request from 
ACS ...), the ACS is due to answer with an INFORM response containing the action to perform, namely an 
RPC call and associated parameters. 


4.1.4.1 Download RPC 


The supported downloaded file types are: 

e “1 Firmware Upgrade Image”: to update the router firmware. 

e “2 Web Content”: to download and extract a TAR file for Web Configurator or IBC update. 
e “3 Vendor Configuration File”: to update the router configuration. 


The files can be downloaded with HTTP or HTTPS transport protocol with optional username/password 
authentication. 


N.B.: in Download RPC, the failure/success URL redirect is not implemented. 
4.1.4.1.1 Firmware Update 


The inform response specifies the URL to query to download the firmware, username and passwords for 
authentication. The parameters FileSize and TargetFileName are ignored. 


In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid 
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure 
the router as follows: 


e /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new 


e Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load 
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download), 
the boot loader loads the backup software /BSA/ binaries/OneOs. 


Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware. 
The new firmware replaces the running firmware (typically OneOs . new). After download, software integrity 
is checked. If the check is not passed, the new firmware is removed. 


After reboot, an INFORM RPC is sent with event code “7 TRANSFER COMPLETE”. 
4.1.4.1.2 Configuration Update 


The parameters FileSize and TargetFileName are ignored. 


The configuration file is downloaded in /BSA/bsaStart.cfg.new.au and compared with the 
configuration download during the last TR-069 configuration update operation 
(/BSA/config/bsaStart.cfg.add.au or /BSA/config/bsaStart.cfg.bad.au). If they are 
different, OneOS continues configuration update otherwise the operation is considered successful. 


After configuration download, two behaviors are possible: 


e Execute the downloaded configuration (upgrade mode=add-in). If no error in execution is detected, 
the upgrade is considered successful. If successful, the running configuration is saved. The 
downloaded configuration file is saved in /BSA/config/bsaStart.cfg.old.au. The download 
operation result is successful if the downloaded file is not empty and the configuration file is executed 
without errors. 


e Replace the current configuration (mode=overwrite). The downloaded configuration file is saved in 
/BSA/config/bsaStart.cfg.old.au. The router replaces the current configuration with the new 
one. The download operation is always considered successful, if the downloaded configuration file is 
not empty. 


Upon operation success, a reboot is done and after reboot, an INFORM RPC is sent with event code “7 
TRANSFER COMPLETE”. 


With the mode add-in, if the configuration is not executed properly, reboot is done automatically to restore 
the older configuration. 


After successful download, a reboot can be done if a configuration flag enables it. 
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4.1.4.1.3. Web Configurator, IBC Packages or Default Configuration File Update 


Such update is possible by means of the DOWNLOAD RPC where FileType = “2 Web Content”. The 
parameter FileSize is ignored. 


Updating the web configurator, IBC or the default configuration file is handled differently by OneOS. The 
downloaded files are packaged in a TAR file. To distinguish these update types, the TAR file contains a file 
(located at root path inside the TAR file) that must be named cwmp-update-type.txt). This file can 
contain one of the following strings: 


e DEFAULT_CONFIG to update a default configuration file. The TAR file is downloaded and extracted in 
the directory provided in TargetFileName tag (typically flash: /). 





e WEB to update the Web Configurator. The TAR file is downloaded and extracted in the directory 
provided in TargetFileName tag (typically flash: //webroot). Prior to doing the extraction, the 
HTTP server is shutdown and the HTTP server root directory (default: /webroot) is cleaned. After 
extraction, the HTTP server is re-enabled again. 


e IBC to update the IBC Packages. The TAR file is downloaded and extracted in the directory provided 
in TargetFileName tag (typically flash:/). Prior to doing the extraction, the IBC Service is 
shutdown. Then, IBC packages are updated. Finally, the IBC Service is restarted if needed. 


If cwmp-update-type.txt file is missing or its content does not match any of the above mentioned 
strings, the update type is assumed to be equivalent to WEB. 





To create a CWMP update file, first create the file cwmp-update-type.txt and then copy the TAR file 
(i.e. IBC TAR package, web TAR package...) named as web.tar under the same directory. Create the 
MD5 checksum of web.tar and save the file as web.tar.md5. Finally create the CWMP update file by 
creating a TAR archive file containing web.tar, web.tar.md5 and cwmp-update-type.txt files. 


Warning: as of V4.2R5E15, MD5 check sum is mandatory, otherwise update is rejected. 


Example for a web package (with Linux commands): 


Localhost$ cd <workingdirectory> 

Localhost$ echo “WEB” > cwmp-update-type.txt 

Localhost$ cp WCF-OA-....tar web.tar 

Localhost$ md5sum web.tar > web.tar.md5 

Localhost$ tar -r -file web.tar web.tar.md5 

Localhost$ tar cvf cwmp-package.tar web.tar cwmp-update-type.txt 


4.1.4.2 Reboot RPC 

The ACS can invoke the REBOOT RPC. 
4.1.4.3 FactoryReset RPC 

The ACS can invoke this RPC so that the product reboots and returns to factory defaults. 
4.1.4.4 Upload RPC 


This RPC enables an ACS to request the CPE to upload a file on a server. The following restrictions apply: 
e Only FileType “1 Vendor Configuration File” is supported (i.e. upload of the running configuration) 


e Transport layer can be: http or https, with or without username/password authentication 
4.1.4.5 GetRPCMethods 

This RPC enables the ACS to retrieve the list of supported RPC. 
4.1.4.6 | Managed Objects RPC 


The following RPC are supported to handle CWMP managed objects. 
SetParameter Values / GetParameterValues / GetParameterNames / AddObject / DeleteObjet 
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4.1 


5 


TR-69 Scenarios behind a NAT Gateway (TR-111, TR-69 Pass-through) 


Problem statement: a LAN device managed by CWMP protocol is addressed with a private IP address. 
This raises a security concern in that the LAN device could be installed and running from any LAN. Also for 
incoming connection requests, the LAN CPE should indicate a ConnectionRequestURL with a publicly 
IP addressable IP address. 


To solve this technical issue, the Broadband Forum (formerly DSL forum) released the TR-111 standard. 


OneOS fully supports TR-111 part 1 (Device-Gateway Association) as gateway and this is the default 
behavior. On non-standard products, OneOS behaves as LAN device. In that case, all objects in its data 
model start from root object Device. * instead of InternetGatewayDevice.*. 





TR-111 is implicitly active when enabling TR-69. As gateway, OneOS DHCP server replies with the DHCP 
option 125 if receiving the option 125 in DHCP requests. Similarly, OneOS products behaving as LAN 
device automatically include DHCP option 125 if TR-069 is active. Finally, the TR-111 data model for 
device - gateway association is populated accordingly. 


OneOS fully supports TR-111 part 2 (Connection Request via NAT Gateway) that allows an ACS to initiate 
a Session with a device that is operating behind a NAT Gateway. This provides the equivalent functionality 
of the TR-069 Connection Request, but makes use of a different mechanism to accommodate this 
scenario. 
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4.2 CONFIGURING CWMP 


To start configuring CWMP, enter in CWMP configuration mode as follows: 


CLI> configure terminal 
CLI (configure) > cwmp 
CLI (cwmp) > 





Use the following command to use a designated VRF different from the default VRF (it is possible to use a 
different VRF for the session itself and for the file transfers): 


CLI (cwmp)> vrf <vrf-name> [session | transfer] 
Use the following command to use the default VRF (it is possible to use a different VRF for the session 
itself and for the file transfers): 

CLI (cwmp)> no vrf [session | transfer] 
The ProductClass can be configured. It can be taken either from the X.509 certificate (if available) or the 


motherboard type or the product name (see CLI commands show product-info-area at line 
Motherboard type and show system hardware at line Device - default cert-or-mb-t ype): 





CLI (cwmp) > product-class-specification { cert-or-mb-type 
| mb-type 
| product—name } 
The ACS URL can be either learnt (using DHCP option 43) or manually configured. 
Use the following command to have the ACS URL learnt using DHCP option 43: 
CLI (cwmp)> acs url learn 
Use the following command to enter manually the ACS URL. The ACS URL can be a designated name or 
an IP address. The URL may contain a port number in case a different port than default (7547) is used: 
CLI (cwmp)> aces url {http| https}: //<ip-or-name>[:<port>]/<path>/<filename> 
If HTTP connection of the CPE is authenticated by means of a password, the next command line must be 
entered (authentication for HTTP sessions initiated by the CPE). Note that the password can be a static 


string or a string made up of a static string concatenated with the serial number (so that every router has a 
different password): 


CLI (cwmp)> [no] acs auth password <string> [serial-number] 
The serial number can be either the true serial number of the device (default) or a particular backup 
number: 

CLI (cwmp)> serial-number { default | bnumber } 
The monitored interface must be configured. It defines the interface that triggers the sending of an 


INFORM RPC whose event if BOOT or BOOTSTRAP after a configurable timer (by default: no delayed- 
start timer). The monitored interface is also the IP address that is in the INFORM: 


e To construct the URL for connection request. It is: http://<monitored-interface-ip>/<random> 


e = To know if the ExternalIPAddress is a PPP or IP interface for the object 


InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1.ExternalIPAddress Of 
InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1.ExternalIPAddress 





The following command can be entered up to 5 times in order to monitor up to 5 interfaces. 


CLI (cwmp)> [no] trigger monitored-interface <type> <unit> [delayed-start 
<seconds>] 


If the OneOS-based router is installed as a LAN device (TR-111 client), the TR-111 association must be 
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configured as a trigger; the BOOT/BOOTSTRAP events will only trigger an INFORM if the TR-111 
association is successful (use of DHCP option 125 to learn the gateway identity). 


CLI(cwmp)> [no] trigger gateway-association 


Note: this command does not trigger TR-111 association, but modifies the trigger monitoring an interface. 
If the command is entered after that the monitored interface is up, nothing will happen. 


CWMP packets take as source address the IP address of outgoing interface, but it can be forced: 


CLI (cwmp)> source-interface <type> <unit> 
CLI (cwmp)> no source-interface 


When software upload is required, the inform response specifies the URL to query to download the 
firmware, username and passwords for authentication. Today, the parameters FileSize and 
TargetFileName are ignored. 


In the case where the firmware transfer can take another path that the query, it is possible to force the 
actual source address for the transfer: 


CLI (cwmp)> [no] transfer-source 


In router configuration, a parameter defines the backup firmware, in case the new firmware is invalid 
(default backup-software: /BSA/binaries/OneOs.old). Actually, the appropriate setup is to configure 
the router as follows: 


e /BSA/bsaBoot.inf specifies the running firmware as /BSA/binaries/OneOs.new 


e Backup firmware is /BSA/binaries/OneOs. Implicitly, the OneOS boot loader tries to load 
/BSA/binaries/OneOs.new at boot; if this file is invalid (e.g. power-off during software download), 
the boot loader loads the backup software /BSA/binaries/OneOs. 


Before downloading the file, the running software (if it exists) is renamed to overwrite the backup firmware. 
The new firmware replaces the running firmware (typically OneOs .new). After download, software integrity 
is checked. If the check is not passed, the new firmware is renamed and the router reboots. Finally, an 
INFORM RPC is sent with event code “7 TRANSFER COMPLETE”. 


To use another name for backup software, use the next command: 
CLI (cwmp)> [no] backup-software <path/filename> 
Configuration download: the configuration file is downloaded in temporary file and compared with the 


configuration download during the last TR-069 configuration update operation. If they are different, OneOS 
continues configuration update otherwise the operation is considered successful. 


After configuration download, two behaviors are possible: 


e Execute the configuration (mode=add-in) If no error in execution is detected, the upgrade is 
considered successful. If successful, the running version is saved. The downloaded configuration file 
is saved. The download operation result is successful if the downloaded file is not empty and the 
configuration file is executed without errors. With the mode add-in, if the configuration is not executed 
properly, a reboot is done automatically. 


e (mode=overwrite) (default) The downloaded configuration file is saved in /BSA/config/bsaStart.tr69. 
The router replaces the current configuration with the new one. The download operation is always 
considered successful, if the downloaded configuration file is not empty. The router reboots. 


CLI (cwmp)> config-update download-behaviour { add-in | overwrite } 


Custom proprietary objects may be inserted in the data model. 





CLI (cwmp)> [no] set-param <proprietary-managed-object-name> <value> 
[set] [get] [inform] [val-chd] 


The optional arguments after the value define how the object is accessed: 


e set: the object can be read by the Get ParameterValue RPC 





e get: the object can be read by the SetParameterValue RPC 
e inform: the object is included in the INFORM 


e val-chd:a value change on this object causes an ACS notification 
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4.3 CWMP DATA MODEL 


Operations with the data model can be done by means of the following RPC: SetParameterValues, 
GetParameterValues, GetParameterNames, and also AddObject, DeleteOb ject for objects that 
are instantiated. 





These operations can be simulated by means of CLI commands that query the OneOS CWMP stack and 
are expected to return the same result as the corresponding RPC. In the following CLI commands, it is not 
necessary to include the managed object root keyword (either “InternetGatewayDevice.” or 


“Device.”;“.” is enough). 
To simulate Get ParameterValues: 


CLI> cwmp get-param <managed-object-—name> 


To simulate SetParameterValues: 


CLI> cwmp set-param <managed-object-name> <value> <type> 


To simulate GetParameterNames: 


CLI> cwmp get-param-names <managed-object-—path> 


To dump the supported OneOS data model: 

CLI> cwmp get—param-names 
The CWMP data model include some objects that are instantiated: they are present if the corresponding 
service is explicitly configured in OneOS configuration. An object instance is identified by its number, for 
example: “InternetGatewayDevice.LANDevice.1”. 
To simulate AddObject: 


CLI> cwmp add-object <managed-collection-of-object-path> 


To simulate DeleteObject: 


CLI> cwmp delete-object <managed-object-—instance-path> 


The following table explains how to understand several instantiation numbers of CWMP managed objects. 
To simplify notations, the root object (“InternetGatewayDevice.” or “Device.”) is omitted. 





CWMP Object Instance 





Corresponding Service in CLI Configuration 








LANDevice. {i} 





The {i} instance corresponds to the BVI number. CLI configuration: 


configure terminal 
interface bvi {i} 
exit 

exit 








LANDevice.{i}.Hosts.Host.{j} 








When querying such object, OneOS CWMP engine looks up the DHCP pool associated with the BVI {i}; i.e. the 
DHCP pool must be within BVI IP network. Host. {3} is the i" host in the DHCP binding table that corresponds to 
that pool. 
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CWMP Object Instance 





Corresponding Service in CLI Configuration 








LANDevice. {i}.LANEthernetInterfaceConfig. {j} 














ANEthernet InterfaceConfig. {4} corresponds to the Ethernet port fastEthernet 0/{ 4-1}. That port 
must be port of the BVI {i} bridge group. CLI configuration: 


configure terminal 
interface bvi {i} 





bridge-group <x> 

exit 

interface fastEthernet 0/{j-1} 
bridge-group <x> 
no ip address 

exit 

exit 








LANDevice. {i} .LANHostConfigManagement.IPInterface. {7} 





IPInterface.1 corresponds to the main IP address; the following instances are secondary addresses by order 
of configuration. CLI example: 
configure terminal 
interface bvi {i} 
! IPInterface.1 
ip address 192.168.1.1 255.255.255.0 
! IPInterface.2 
ip address 192.168.1.1 255.255.255.0 second 


exit 
exit 








LANDevice. {i} .WLANConfiguration. {j} 





The {4} instance corresponds to the interface dotllradio 0/{j}. 
It must be part of BVI {i} bridge-group. 


configure terminal 
interface bvi {i} 


bridge-group <x> 

exit 

interface dotllradio 0/{j} 
bridge-group <x> 
no ip address 

exit 

exit 








WANDevice. {i} 





{i} is the index of the physical interface minus one. 
Each ATM physical interface: atm {i-1}.y. {i} is therefore 1 most of the time. 








WANDevice. {i} .WANConnectionDevice. {j} 





{3} is the index of the ATM sub-interface (atm {i-1}.{3}). atm 0.1 is mapped to 
WANDevice.1.WANConnectionDevice.1 








WANDevice. {i} .WANConnectionDevice. {j} .WANIPConnection.{k} or 
WANDevice. {i} .WANConnectionDevice. {j}.WANPPPConnection. {k} 





A singly WANIPConnection instance is supported. k is always worth 1. 




















WANDevice. {i} .WANConnectionDevice. {j} .WANIPConnection.1.PortMapping. {k} 
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CWMP Object Instance 





Corresponding Service in CLI Configuration 








{k} starts from 1 to N, where N is the number of static NAPT rules. 


configure terminal 
interface atm {i-1}.{7j} 


ip nat static-napt tcp 192.168.1.2 80 self 80 
ip nat static-napt udp 192.168.1.2 245 self 245 
exit 
exit 





Services.VoiceService.{i}.VoiceProfile.{j} 





{i} and {5} are always 1. 








Services.VoiceService.1.VoiceProfile.1.Enable 





Administrative state of the SIP or H.323 gateway. State mapping (TR-69 <OneOS): 
- Disabled: voice gateway is shutdown 

- Enabled: voice gateway is ‘no shutdown’ 

- Quiescent: not supported 








Services.VoiceService.1.VoiceProfile.1.Line. {i} 





If applied to FXS, {i} index represents indeed an FXS line. With ISDN BRI/PRI, it represents a SIP account. 


To identify the number of SIP accounts, the voice routing table is scanned from index MIN to index MAX (MIN=25, 
MAX= max limit of the product — 25). Index is route-number i.e. MIN +1. 


Get Action: do a get on all sub-objects. 
Set Action: N/A. 
Add Object: create a route after the last voice route and set a default sip-username=prefix=xxxxxx, phyRefList=0. 








Services.VoiceService.1.VoiceProfile.1.Line.{i}.Enable 





When manipulating that object, the software looks for all physical voice ports associated with pots-group {i}. 
Mapping TR-69 < OneOS when reading Enable: 


- Enabled: all voice ports are ‘no shutdown’ 
- Quiescent: not supported 
- Disabled: if not enabled 








Services.VoiceService.1.VoiceProfile.1.Line.{i}.DirectoryNumber 





Get/Set action: 
- Sets/gets the prefix <number> length <yy> and sip-username. 


- If the PhyReferenceList object is not empty and the associated pots-group corresponds to a single FXS 
voice port, adds the "insert-calling-number <directoryNumber>" under the voice port 


Valid format: [+]?[A-Z09*#]+ 

If the directory number is in the international format: 

- The OneOS router must be configured with the option to automatically process international numbering plan. 

- The value in "prefix <number> ..." command is pre-processed (e.g. in France, a directory number of 
+33141877001 becomes 0141877001) and the voice route must match number with ToN = National. 

- Incase of FXS, the number in "insert-calling-number" is the DirectoryNumber that was pre- and post- 
processed for FXS (post-processing for a dial-peer not supporting internal number format). 








Services.VoiceService.1.VoiceProfile.1.Line.{i}.SIP.AuthUserName 





Set Action: 

- Corresponds to sip-authentication 

- If not empty, the prefix attribute "ua-sip" is set. 
- If empty, the prefix attribute "ua-sip" is unset. 











Services.VoiceService.1.VoiceProfile.1.Line.{i}.SIP.AuthPassword 
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CWMP Object Instance 





Corresponding Service in CLI Configuration 








- Set Action: corresponds to sip-authentication. 








Services.VoiceService.1.VoiceProfile.1.Line.{i}.PhyReferenceList 





It corresponds to the pots-group. Format (regexp): \d+ 
Set: for the corresponding route, associate the dial-peer pots <nbr> in hunting mode. 
Get: take the pots-group value from the route. If it is not a pots-group or if it is not set, return an empty string. 








Services.VoiceService.1.VoiceProfile.1.Line.{i}.Status 





OneOS looks up the dp-pots ua-sip under voice-routing as described above. 


- If that number must be registered to SIP server (the command ‘dial-peer pots <i> .. ua-sip’ is 
present), the status corresponds to registration status of that number. 


- If that number must not be registered, corresponds to the global registration status of SIP / H.323 gateway. 
State mapping (TR-69 < OneOS): 
- Disabled: SIP gateway is shutdown or the voice-port associated with that number is shutdown. 


- Registering: SIP gateway is ‘no shutdown’ (or the gateway interface is up) but SIP gateway / number is not 
registered. 


- Up: number registered (or the SIP gateway is completely registered). 








Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS. {i} 





Proprietary object: Voice pots table. 


Add object: creates the dial-peer voice pots. 
Object index {i} corresponds to dial-peer voice pots {i}. 








Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS.{i}.port 





Proprietary object: Voice port. Typically "5/0", "5/1". 








Services.VoiceService.1.VoiceProfile.1.X_ONEACCESS_VOICEPOTS. {i}.potsGroup 





Proprietary object: Pots-group number. 








Services.VoiceService.1.ISDNInterface. {i} 








The {i} instance of the object corresponds to the BRI port+1 (ISDN 5/0 is mapped to ISDNinterface.1). 
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4.4 ENABLING TR-111/TR-69 PASS-THROUGH 


TR111 UDP Connection Request module uses a STUN Server to determine if a NAT Binding is in use or 
not and retrieve the public address/port in the case that NAT is used. 


When CWMP service is up, and STUN client parameter is set to TRUE, TR111 UDP Connection Request 
module will try to communicate via UDP with the STUN Server. 


To start the STUN client, use the following command in CWMP configuration mode: 


CLI (cwmp)> udp-cr stun-client enable true 


To stop the STUN client, use the following command in CWMP configuration mode: 


CLI (cwmp)> udp-cr stun-client enable false 


To configure the STUN Server address, use the following command in CWMP configuration mode. The 
default STUN Server port number is 3489. 


CLI (cwmp)> udp-cr stun-client server-address <IP-address> [<port>] 


If NAT is detected, the parameter NATDetected is set to TRUE and the parameter 
UDPConnect ionRequestAddress is updated with the public address. 





If no NAT is detected, the parameter NATDetected is set to FALSE and the parameter 
UDPConnect ionRequestAddress is updated with the private address. 





To configure the STUN client authentication settings, use the following command in CWMP configuration 
mode: 


CLI (cwmp)> udp-cr stun-client authentication <username> <password> 
To configure the STUN client keepalive settings, use the following command in CWMP configuration 
mode: 

CLI (cwmp)> udp-cr stun-client keepalive <min-seconds> <max-seconds> 
To restore the STUN client keepalive default settings (0-4294967295 seconds), use the following 
command in CWMP configuration mode: 

CLI (cwmp)> udp-cr stun-client default keepalive 
To configure the STUN client minimum notification interval, use the following command in CWMP 
configuration mode: 

CLI (cwmp)> udp-cr stun-client min-notification-interval <seconds> 
To restore the STUN client default minimum notification interval (0 second), use the following command in 
CWMP configuration mode: 


CLI (cwmp)> udp-cr stun-client default min-notification-interval 
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4.5 MANUAL CWMP OPERATIONS 


Invoking the request download event: 


CLI> cwmp inform request-—download { 1-firmware-update 
| 2-web-content 
| 3-vendor-configuration-file } 


Sending a CWMP INFORM with BOOTSTRAP event: 


CLI> cwmp start 


Sending a CWMP INFORM with BOOT event: 


CLI> cwmp event BOOT 


To cancel the CWMP operation in progress: 





CLI> cwmp stop 


To force CWMP to send a BOOTSTRAP event at next boot, you must clean up a file (that would also be 
cleaned up by a factory reset): 


CLI> rm /BSA/persist/cwmp. ini 
CLI> reboot 
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4.6 CWMP STATISTICS AND TROUBLESHOOTING 


The debug mode activates the traces and also saves the CWMP transaction messages in the 
/cwmp/temp directory: 


CLI> [no] debug cwmp { all | application | session | data } 


The CWMP statistics are provided by the next command: 


CLI> show cwmp statistics 


The CWMP configuration status is obtained as follows: 


CLI> show cwmp setup 


The status of the ongoing downloads is obtained as follows: 


CLI> show cwmp request-download state 


The status of the ongoing UDP-connection request is obtained as follows: 





CLI> show cwmp udp-cr 





4.7 CWMP CONFIGURATION EXAMPLE 


configure terminal 
cwmp 
acs url http://acserver:7547/proxyServlet 
trigger monitored-interface atm 0.1 
config-update download-behaviour add-in 
exit 
exit 
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5 AUTOCONFIGURATION 


This section describes the autoconfiguration features of OneOS and how to activate this function. 


Autoconfiguration permits, when starting DHCP client on an interface, to automatically acquire 
configuration parameters. This permits also to retrieve new image releases, thus facilitating image update 
on a large-scale basis. In order to adapt to varying customer requirements, several autoconfiguration 
methods can be defined. 


The objective of such function is to optimize deployment and maintenance costs of OneOS-based routers. 
Indeed, all routers stored in the warehouse have the same configuration files and software. When they are 
deployed in the customer premises, they download their configuration files and software if needed. This 
procedure enables the standardization of deployment and maintenance, which, in turn, enables significant 
operative savings. 
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5. 


1 


AUTOCONFIGURATION FEATURES 


The Autoconfiguration implementation is compliant with DHCP RFC 2131 and RFC 2132. Note that some 
well defined DHCP fields have been reused, in order to provide a better use for our customers. 


Autoconfiguration can download router software and configuration. The following diagram shows the state 
machine of autoconfiguration and the controls made to avoid the download of faulty 
software/configurations. The first step ("Execute bsaStart and backup configuration") is detailed in the 
second diagram. 


Overall State Machine 



















Execute bsaStart.cfg 
Backup configuration 

in case of errors 

(detailed in next diagram) 


Start 


No - errors in bsaStart.cfg 


Run Autoconfig periodically. 
Retrieve SW and / or config to 
download 


Download Config. 
New config 
different from 
bsaStart.cfg? 










Is new OS name 
different from 
current? 


Yes 








New config 
different from 
bsaStart.err? 


No 


Is downloaded 
OS integrity 
correct? 














Copy bsaStart.cfg 
into bsaStart.old. 
Copy new config 
into bsaStart.cfg. 
Reboot. 
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Detail of Sub-State "Execute bsaSiart.cfg Backup configuration in case of errors" 


Execute bsaStart.cfg 









Errors while Executing 


N 
7 bsaStart.cfg 


Yes 


Rename bsaStart.err Copy bsaStart.cfg into bsaStart.err 
bsaStart.bak Put bsaStart.cfg into bsaStart.tmp 
(but CLI lines causing errors are 
commented out in bsaStart.tmp) 
Suppress bsaStart.bak 





Start autoconfig if configured 








Is command ‘reboot-recovery-on- 


error’ present? 
Yes 


Copy bsaStart.old into bsaStart.cfg 
Reboot 









Start autoconfig if configured 











5.2 AUTOCONFIGURATION CONFIGURATION COMMANDS 


The autoconfiguration feature requires that a DHCP client be enabled on an interface. 
5.2.1 Enabling Autoconfiguration 


To enable autoconfiguration and select the method, use the following command in global configuration 
mode: 


CLI (configure)> autoconfiguration <method> 
CLI (oaac-mthd1) > 





Actually, only methods ‘1’, ‘2’, ‘3’ and ‘4’ are available (see below). From there, the user must configure 
method-specific parameters. 


To deactivate autoconfiguration, use the no form of the following command in global configuration mode. 


CLI (configure)> no autoconfiguration <method> 


Once the method-specific parameters are entered, enter the ‘execute’ command to complete the service 
configuration: 


CLI (oaac-mthdl)> execute 
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5.2.2 


5.2.2.1 


Method-1-Specific Autoconfiguration Parameters 
Voice Autoconfiguration 
Voice service could also be started using autoconfiguration method #1. To activate this feature, use the 
following command under H.323 gateway configuration: 
CLI (h323gw)> gw-address autoconfig 
In this case, The OneOS-based router waits for a DHCP request and uses the information contained in the 


DHCP message (option #14) to start the H.323 gateway. The option #14 is an ASCII string with the 
following format: 


Option14: “<protocol identifier>|<A>.<B>.<C>.<D>|<gateway identifier>” 


Where: 


e The protocol identifier should be set to 2 when H.323 protocol is selected. Others values has been 
reserved to maintain future software compatibility. 


e ‘<A>.<B>.<C>.<D>’ is the gatekeeper IP address, used to setup a manual or automatic registration to 
this gatekeeper. When OneOS receives a broadcast IP address, an automatic process is started 
instead of a manual one. When this IP address is set to 0, the H.323 gateway is stopped after 
disconnecting all running calls. 


e The gateway identifier provides the name of the OneOS-based router to the gatekeeper (concerning 
the RAS protocol). 


The OneOS-based router can dynamically update those parameters even if the H.323 gateway is already 
started. The H.323 gateway behavior depends on theses parameters. 


In this case, others parameters into h323-gateway configuration entry are optional except the gw- 
interface andno shutdown commands. 


To deactivate this feature, use the following command: 


CLI (h323gw)> gw-address implicit 


5.2.2.2 Software Image Download 


‘Method #1’ enables to check that the device has the right software image and to download a new image if 
needed. The process is described as follows: 


e The router gets the IP address of a TFTP server in the option #17 


e If the option #17 provides a valid address, the router downloads an image information file that 
indicates the software image name and size and the TFTP server, where the image is stored. 


e If the image currently in use is different from the one retrieved in the image information file, the new 
image is downloaded and the device reboots with the new image. 


The option #17 is an ASCII string containing the IP address of the TFTP server under the format: 
‘<A>.<B>.<C>.<D>’. 


The image information file is a text file with the following fields: 


[one200] 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 

[one400] 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 

[one100] 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 

[one300] -- also available for onel180 
<string>:<software-image-file> 
<tftp-ip-addres> 
<length-in-bytes> 
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Where: 

e string is actually any string (not significant today, for future use). 

e software-image-file is the name of the image file of the TFTP server. 

e tftp-ip-addres is the address of the TFTP server, where the image can be downloaded. 


e length-in-bytes is the size in bytes of the image (to check if there is enough space in flash before 
downloading). 


The file can contain information for several device names. 


5.2.2.3. Configuration Example 


The following example shows a WAN topology in which autoconfiguration and DHCP is configured. In this 
example, router A is the DHCP client that needs to be auto-configured. Router B is the DHCP server as 
well as the default gateway router for A. 





88.123.12.1 





HOSTB 
88.123.12.243 











oe Router A 
yo 10.0.0.1 


GATEKEEPER 
88.123.12.242 









































The configuration script is as follows for router A: 


ip dhcp vendorid voipt0t2-oneaccess 
autoconfiguration methodl 
interface FastEthernet 0/0 
ip address 10.0.0.1 255.255.255.0 
exit 
! 
! here, configure atm 
! 
interface atm 0.1 
pvc ipoa vpi 0 vci 32 
execute 
exit 
ip address dhcp client-id fastethernet 0/0 
ip nat inside overload 
exit 
! 
! here, configure voice 
! 


dial-peer voice voip 0 


gatekeeper mandatory ! select RAS protocol 
no shutdown 
exit 
h323-gateway 
gw-interface atm 0.1 ! link the H.323 gateway to an interface 
gw-address autoconfig ! select autoconfiguration feature 
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no shutdown 
exit 
exit 


The configuration script is as follows for router B: 


ip dhcp pool global 
host 88.123.12.2 
client-identifier ONE60/08:00:51:00:11 
default-router 88.123.12.1 
dns-server 122.12.32.154 
netmask 255.255.252.0 
lease 0 12 0 
option ascii 14 2|88.123.12.242|gw-test 
option ascii 17 88.123.12.243 
exit 
interface FastEthernet 0/0 
ip address 88.123.12.10 255.255.252.0 


exit 
DHCP autoconfiguration parameters are ASCII strings configured as following: 


Optionl4: “2|88.123.12.242|gw-test” 
Optionl7: “88.123.12.243” 


File oneaccess.general located in host B can be configured like that: 


[one200] 
FO01L002.00:ONEOS1-VOIP-V3.3R2E31T1 
220.0.0.43 
5446002 

[one400] 

FOL002.00:ONEOS2-VOIP-V3. 3R2E31T1 
220.0.0.43 

5555002 


Once A retrieved main DHCP parameters (IP address, net mask, default route and DNS server), 
autoconfiguration looks up for options #17 and #14. 


Voice parameters contained in option #14 indicate that a gatekeeper named gw-test at IP address 
88.123.12.242 is ready. The first number (2) means that h323 module is required. Otherwise, voice 
configuration is bypassed. 


Option #17 is the IP address of the remote TFTP server to download image information file 
oneaccess.general. Once the IP address is extracted from option #17, the file is retrieved and 


analyzed. 


5.2.3 Method-2-Specific Autoconfiguration Parameters 

Note: as of V4.3R2E2 software release, Method-2 Autoconfiguration is not supported outside default VRF. 
5.2.3.1 Voice Autoconfiguration 

Voice autoconfiguration is the same as method 1. 
5.2.3.2. Downloading Configuration and Software 


In this method, the process is: 


e The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2- 
oneaccess-<software-release> and gets the IP address of a TFTP server in the option #17. 


e If the option #17 provides a valid address, the router downloads an information file that indicates the 
software image name, configuration file and the FTP servers to be used, where the configuration and 
image files are stored. 


e The option #67 tells what is the information file name containing all the above-mentioned information. 
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The option #17 is an ASCII string containing the IP address of the TFTP server under the format: 
‘<A>.<B>.<C>.<D>’. 


The downloaded information file is under the following form: 


/home/luci/admintests/oaac/config_one200 
192.168.30.234 

lucilu 

lucil23 

admintests/oaac/oneosl.gen 
192.168.30.234 


The syntax is the following: 
<config-path/filename> 
<ftp-server-ip> 
<login> 
<password> 
<path/gen-file> 
<tftp-server-ip> 


Details about parameters: 


e config-path/filename: full path and file name of the configuration file that must be downloaded. 


e ftp-server-ip: it is assumed that the configuration file is on a FTP server whose IP is provided 
here. 

e login: FTP login. 

e password: FTP password. 


e path/gen-file: full path and name of the general file, where the software images are specified. 
This file is similar to oneaccess. general of autoconfiguration method 1. It has the following form: 

[one200] 

FO01L002.00:ONEOS1-VOIP-V3.3R2E31T1 

220.0.0.43 

5446002 

[one400] 

FOL002.00:ONEOS2-VOIP-V3.3R2E31T1 


220.0.0.43 
5555002 


e tftp-server-ip: TFTP server where the general file is kept. 


The autoconfiguration is retried until successful; then, the process restarts periodically (corresponding to 
the DHCP lease time) in order to check for new versions or configuration. 


At successful completion of the software upload/download, some test calls are sent. Traps are emitted to 
the configured event managers, if no test call is successful. If no successful call after 3 attempts is 
observed, the Voice LED remains red. 


To enable autoconfiguration method 2 and select the method, use the following command in global 
configuration mode: 


CLI (configure)> autoconfiguration 2 
CLI (oaac-mthd2) > 


To configure the interface onto which DHCP requests must be issued, enter the following command: 


CLI (oaac-mthd2)> add-interface <type> <unit> 


If the software image is allowed to be upgraded, the following command must be entered (default: 
disabled): 


CLI (oaac-mthd2)> os-update {enabled| disabled} 


To specify the hostname that must be used within DHCP inform: 


CLI (oaac-mthd2)> add-hostname <string> 


The autoconfiguration can be enabled only after synchronization with a NTP server: 


CLI (oaac-mthd2)> add-ntp-server <ip> 


The autoconfiguration logs can be sent to a syslog server: 
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CLI (oaac-mthd2)> add-syslog-server <ip> 


When the configuration is completed, always enter the ‘execute’ command to activate the changes: 
CLI (oaac-mthd3)> execute 
The next parameter enables to reboot automatically with the old configuration in case the new 


configuration downloaded is detected as invalid (errors while executing the start configuration; by default: 
disabled): 


CLI (oaac-mthd3)> exit 
CLI (configure)> [no] reboot-recovery-on-error 


5.2.4 Method-3-Specific Autoconfiguration Parameters 
5.2.4.1 Voice Autoconfiguration 
Voice autoconfiguration is the same as method 1. 
5.2.4.2. Enabling test calls 
This method is similar to method 2 but no image and configuration file are downloaded. In this method, the 


process is: 


e The router sends a DHCP discover with option #60 (vendor-id) under the form voipt0t2- 
oneaccess-<software-release> and gets the IP address of a TFTP server in the option #17. 


e The router retrieves the voice parameters and proceeds with test calls. 


The autoconfiguration is retried until successful. Traps are emitted to the configured event managers, if no 
test call is successful. If no successful call after 3 attempts is observed, the Voice LED remains red. 


To enable autoconfiguration method 3, use the following command in global configuration mode: 
CLI (configure)> autoconfiguration 3 
CLI (oaac-mthd3) > 

To configure the interface onto which DHCP requests must be issued, enter the following command: 


CLI (oaac-mthd3)> add-interface <type> <unit> 


To specify the hostname that must be used within DHCP inform: 


CLI (oaac-mthd3)> add-hostname <string> 


The autoconfiguration can be enabled only after synchronization with a NTP server: 


CLI (oaac-mthd3)> add-ntp-server <ip> 


The autoconfiguration logs can be sent to a syslog server: 


CLI (oaac-mthd3)> add-syslog-server <ip> 


When the configuration is completed, always enter the execute command to activate the changes: 


CLI (oaac-mthd3)> execute 
5.2.5 Method-4 Autoconfiguration 


Note: as of V4.3R2E2 software release, Method-4 Autoconfiguration is not supported outside default VRF. 


Autoconfiguration method 4 is configured with the same parameters as autoconfiguration method 2 and 
the file formats on FTP/TFTP servers are the same, as well as DHCP options. 


The main differences between method 2 and 4 are exclusively related to OneOS behavior: the way to 
download files, to reboot and to recover from errors is different. To further detail the behavior of method-4 
autoconfiguration, the next diagram depicts the autoconfiguration steps: 
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5.3 AUTOCONFIGURATION STATISTICS 


To display statistics about the existing autoconfiguration, use the following command line: 


CLI> show autoconfiguration 

autoconfig methodl 

config: tftp tries 0 (0 successfull, 0 bad params) 

software version: tftp tries 0 (0 errors, 0 checksum errors) 
system: errors fs 0, other 


To display help information on how to use autoconfiguration, simply type the ‘autoconfiguration’ command: 


CLI (configure)> autoconfiguration 
methodl: voice configuration and image version download manager 
dhcp: option 14{A|B|C}, A=2 for H323, B gatekeeper ip@, B gateway identifier 
option 17{D}, tftp server to download config file 
oneaccess.general format: 
[header] machine type: one200 or one400 
filename in the format A:B where A is a private name, B is the image version 
ipaddress ip address of tftp server to download image from filesize number of bytes of 


the file to download 





5.4 AUTOCONFIGURATION DEBUG AND TRACE 


To enable autoconfiguration debugging, use the following command: 


CLI> debug autoconfiguration 





CLI> no debug autoconfiguration 
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